Your IT security team has done due diligence in hardening your organization's IT infrastructure to align it with the latest regulations. You've deployed state-of-the-art Data Loss Prevention (DLP) and intrusion prevention systems (IPSes), firewalls, and antivirus and antimalware solutions. And you have personally overseen all recent compliance audits. You think you can now rest easy; after all, you've raised your organization's security and compliance posture to the highest level possible.
But, suddenly, your world is turned upside down after reading a letter from a credit card company informing you that it believes your organization is the victim of a breach that has compromised payment card information on millions of your customers. You wonder, "How could this be? We've taken every precaution possible!"
Several months later, a time-consuming and expensive forensic audit reveals that cyber-criminals penetrated your network using an employee's user name and password. It's possible that the criminals obtained the password because the employee opened up a document rigged to take advantage of a zero-day exploit.
In this case, it took only one oblivious employee-who had no understanding of how important it is to avoid opening attachments from unknown and unverified sources-to reduce your IT security infrastructure to the equivalent of an unlocked door with a red blinking sign that reads, "Come on in and take our cardholder data!"
To prevent data breaches and security incidents, organizations operating within regulated environments spend years continually hardening their IT systems and controlling access to information so that employees, customers and business partners only have access to what they need to do their jobs. However, with all of the effort put into information security strategies, one step is often overlooked: training.
Hardening your IT systems without training employees leaves a gaping security hole. Training employees on the latest standards and best practices on how to integrate information security and compliance-focused habits into their everyday functions (and how to recognize suspicious behavior) are all critical components that should be a part of any information security strategy.
Unfortunately, training is expensive and resource-intensive. It is no simple task to create a training curriculum, prepare materials (and keep them updated), and then ensure that the training is available around-the-clock to meet the schedules of employees who may be located throughout the world.