Training Insiders About Cybersecurity: The D.N.C. Case Study 15:19, February 2, 2017

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Our Resources

Training Insiders About Cybersecurity: The D.N.C. Case Study

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Data security is ever changing, both from a compliance and a technological perspective. Understanding cybersecurity updates is critical to keeping on top of them, especially since it is the top priority of companies.

Once again, another report indicates that most data breaches are caused not by by malicious hackers but rather by simple, human error. The Society of Corporate Compliance and Ethics (SCCE) released survey results from compliance professionals in Data Breach Incidents, Causes, and Response “to better understand the impact and frequency of data breaches.” While 17% of compliance professionals (up from 11% in 2012) reported a hacker was responsible for a data breach in their companies, 20% reported that a lost device (i.e. laptop) or lost paper files (45%) were the cause of their organization’s data breach. This follows a Ponemon Institute report that found insider negligence to be the leading cause of data theft or loss.

There’s good news, however. Data breaches are down. Thirty-two percent of respondents “reported no incidents, which is 6 percentage points less than the current survey.” Additionally, even though insiders are the leading cause of data breaches, they are also the number one source of reporting an incident. “When asked how was the last incident discovered, survey respondents reported that audits discovered just 5%, and IT reported just 10%. By contrast, employees other than IT reported 46%.” Data security training and education for any insider with access to sensitive data- be it employees, contractors, or third parties- is the most important safeguard companies can take.

To illustrate the importance of training all insiders, the security hacks on the Democratic National Committee (D.N.C.) in 2016 provides a good example. While it’s true that D.N.C. leadership acted quickly when it found out about the hacks to its system in April 2016, it should have known much sooner. According to the New York Times, the F.B.I. called the D.N.C. tech help desk in September 2015 after it confirmed that hackers compromised at least one D.N.C. computer system. It called just one guy, a tech-support contractor who was “no expert in cyberattacks,” who nonetheless did a search of the D.N.C. system and found nothing. Neither the contractor nor the F.B.I. contacted higher-ups at the D.N.C, despite multiple unreturned phone calls from the F.B.I.

To be fair, the contractor did not have reason to believe the D.N.C. was hacked and thought the phone calls were fake. Research shows that gullibility and carelessness, two factors not present in the contractor’s reactions to the D.N.C. breach, are the main factors driving insiders who fall prey to data security scams. Still, the contractor’s reaction is something you would expect from an untrained insider; through better internal cybersecurity training or education, knowledgeable insiders can stop such breaches sooner.

It is still believed that the initial breach to the D.N.C. system was caused by a phishing email mistakenly engaged by an insider. In addition to phishing emails, insider negligence also allows ransomware attacks– reported by PC World as a “top threat” to enterprises. For more information about how to prevent insider negligence, check out LawRoom’s white paper Investing in the Human Firewall: Data Security Training for Employees.

LawRoom (powered by EverFi) delivers online compliance courses to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

You might also be interested in...

  • Why Data Security Is an HR InitiativeDecember 3, 2015 Why Data Security Is an HR Initiative Technology is no longer the special province of programmers and engineers. Nearly every employee at every company relies on technology to do their job and will so increasingly. Human Resources (HR) plays a critical role in helping manage and train this fast changing workforce – […] Posted in data security
  • Bad News and Good News About Data Security RisksApril 20, 2017 Bad News and Good News About Data Security Risks The Bad News.  Data breaches are on the rise. The Identity Theft Resource Center (ITRC), which has been tracking data security risks since 2005, released a report in which it counted 430 data breaches between April 2016 and April 2017. This shows a 37% increase from 2015-2016, […] Posted in online compliance training, data security
Douglas Kelly
Douglas Kelly is EverFi's lead legal editor. He writes on corporate compliance and culture, analyzing new case law, legislation and regulations affecting US companies. Before joining EverFi, he litigated federal and state employment cases and wrote about legal trends. He earned his JD from Berkeley Law and BBA from Emory University.

Leave a Reply

Leave a Reply

White Paper
Data Security training
for employees

  |   Download White Paper

 

Compliance Course Catalog
  |   Download Catalog