Colonial Pipeline. JBS. Microsoft. If it feels like corporate cyberattacks just keep on coming, it’s because they are. Recently, the Biden-Harris administration warned businesses to step up their cybersecurity efforts. For many employers, it’s an increasingly-urgent priority.
Here’s the rub, though: this is not just an IT problem. When it comes to data security breaches, human error plays a very large part. In order to effectively raise the bar, HR must play a key role, too.
Cybersecurity Threats Are Growing
According to the FBI, cybercrime complaints rose by 69% last year—a trend that continues to climb. Experts say it’s no longer a question of if your company will be targeted, but rather a question of when.
According to the annual Verizon Data Breach Investigations Report, out of the 80,000+ potential incidents that occurred in 2020, more than 5,000 turned out to be confirmed data breaches.
While some of these involved the theft of financial information, personal data and intellectual property, ransomware attacks—which lock businesses out of their systems and can disrupt supply chains far and wide—doubled in frequency last year. Between ransom payments, IT remediation, and lost revenues, a business’s bottom line can be crushed.
According to IBM’s 2020 Cost of a Data Breach Report, the average cost of a single corporate data breach was $3.86 million last year with some companies also facing regulatory fines. For example, AT&T was hit with a $25 million FCC fine after consumer data was leaked in 2015.
In addition, a security breach can damage a company’s brand, causing current and potential customers to flee to more security-minded competitors.
The Prime Culprit: Human Error
For many employers, the first response is to invest in new IT safeguards—which, of course, is absolutely necessary. However, companies can’t afford to overlook the weakest link in their IT defenses: their people.
Unfortunately, human error accounts for the majority of data security lapses. According to the Verizon report, 85% of the breaches studied featured a human element.
Similarly, a joint study by Stanford University and the security firm Tessian found that 88% of security incidents were due to employee error—nearly nine out of 10! In that study, 43% of surveyed employees admitted to committing a systems-related blunder that may have threatened their employer’s IT systems.
Both studies revealed another important shared finding—that hackers’ most successful method of breaching a company’s security was through phishing emails, sent to employees’ corporate email accounts.
Phishing scams have come a long way. Not long ago, they were fairly easy to identify due to their farfetched content and poor grammar. However, in 2021, phishing emails are often startlingly authentic and may appear to relate to the company’s business dealings.
In addition, cybercriminals are leveraging social engineering tactics—such as piquing curiosity or creating an urgent sense of alarm—that trigger employees to act impulsively. That may translate to opening an attachment, clicking a dangerous link, or sharing their sensitive login information.
It’s Time for Company-wide Cybersecurity Training
In addition to technological security upgrades, one of the best steps that employers can take right now is to implement rigorous, company-wide cybersecurity training. Working collaboratively, HR and IT should identify the training requirements for users at every level of the company’s software and systems.
At the most basic level, every employee should know how hackers work and the increasingly-sophisticated techniques they employ. In order to recognize threats when they come their way, employees need to know what to look for.
And while phishing scams are an immediate focus, training workers to guard against smishing (text message scams) and vishing (phone fraud) will not only help keep the business’s systems secure, but help workers keep their personal data safe as well.
We can expect to hear more about enhanced cybersecurity—and related training initiatives—in the months ahead. Just last week, the Department of Homeland Security launched StopRansomeware.gov, a new resource for businesses and communities, while implementing tougher cybersecurity standards for critical pipelines.
Meanwhile, at least 38 states have introduced or are considering legislation that addresses corporate cybersecurity—some of which provide incentives for workforce training.
Ironically, one of the very systems companies most need to protect—their HCM platform—holds the key to effective data security training. Of course, that would be their learning management system.
For example, EPAY Learning, powered by Cornerstone, offers the data security training courses employers need to offer to every level of user. In addition, it tracks training activity, ensuring the workforce is and remains fully trained, even as digital threats evolve.
Cybersecurity is only going to become a more pressing business priority for employers, and it will be up to HR to manage the all-important human element. If your learning management system isn’t up to the challenge, now is the time to find one that is.