Source: Analysis of 855 confirmed organizational data breaches investigated in 2011 by Verizon RISK Team or one of its international forensic partners in its 2012 Data Breach Investigations Report. Totals exceed 100% because incidents often involve multiple threat events.
Instead, both experts say, employees are more likely to be motivated into compliance if security managers can put risk into a context that relates to them directly. Most employees know that a security breach affects not just data, but also the company's brand and reputation. But Harkins notes that employees in some business units might not fully understand that they could play a role in a breach just by doing what they consider business as usual.
A marketing team, for instance, might want to launch a new interactive website ahead if its competitors, he explains. The website's content might seem harmless if, for example, it doesn't include intellectual property -- just a few interactive screens and videos. But what if a third-party provider that helped develop the site left vulnerabilities that allow a hacker to implant malware in one of the links on the site? Explaining such risks ahead of time, and in a way that's specific to the department's line of business, helps ensure the group will do what's necessary to mitigate damage, Harkins says.
Real-world examples can also drive the message home. When a data breach makes the news, use it as a teaching tool -- in training classes, via email or through video presentations. Discuss the likelihood of a similar breach occurring in your organization. Ask: How would a breach like this have affected our company? What people or business units should remain extra vigilant against a similar attack? What security measures do you already have in place to protect against such an attack?
2. Go Phishing, Internally
Another effective technique is to launch simulated phishing scams. Then see how many employees take the bait, and offer advice on avoiding similar real-world scams.
Royal Philips Electronics recently launched a pilot program of controlled phishing attacks, says Nick Mankovich, chief information security officer. Working with a professional phishing partner, whom Mankovich declined to name, Philips simulates an email scam that tries to get employees to click a link to a website and then enter their password and username. When an employee clicks on the link, a message pops up explaining his error and offering tips to avoid being scammed in the future.