Employers must take steps to protect themselves and their employees from data hacks and cybersecurity breaches. The best way to do so is to provide their employees with cybersecurity awareness and data privacy training.
While employers often focus on firewalls and other office-wide technology, they may neglect to take steps to prevent entry via their weakest link: their employees. Often, a company’s employees are the ones that inadvertently allow cybercriminals to access confidential information. A 2020 report found that 88% of data breaches are caused by human error, and 43% of people have made mistakes at work that could compromise cybersecurity.
Employers can help prevent these attacks by training their employees. If employees aren’t informed about how hackers steal information and gain access, they will not recognize threats when they receive them. This training also provides benefits beyond just teaching employees about potential cyberattacks; states have begun providing legal incentives to employers that offer cybersecurity and data privacy training.
How Do These Attacks Happen in the First Place?
Cybercriminals or hackers have continued to adapt and advance their tactics to steal data. In general, they attempt to access confidential information in one of two ways.
First, hackers may try to infect computers, mobile devices, and networks with malicious software called malware. This typically occurs when an employee is tricked into clicking on a link or installing a program from the internet.
Second, hackers may use social engineering schemes to trick employees into providing confidential information or access to company systems. For example, fake emails from seemingly similar addresses can trick employees into sending logins, passwords, and other private information. Both methods can provide access to valuable information.
How Do Data Breaches Harm Companies?
Cybersecurity attacks have become common; since 2005, there have been more than 11 trillion records breached, according to the Privacy Rights Clearinghouse. And the number continues to rise. According to the FBI, there has been a 300% increase in cybercrimes since the beginning of the COVID-19 crisis.
When hackers gain access to confidential employee and customer data, there are numerous harms beyond a breached system.
First, hacks have serious monetary costs for businesses. In a 2020 report, IBM found the average total cost of each breach was $3.86 million. Such hacks impact businesses through short term costs as they attempt to correct the breach and cause long-term hits to revenue.
Companies may also face regulatory fines after a data breach. In 2015, the Federal Communications Commission (FCC) imposed a $25 million fine on AT&T after consumer data was leaked.
Breaches also harm brand reputation, as customers lose trust in companies that have allowed hackers to breach their systems. Customers value their privacy and are wary of dealing with businesses that do not safeguard their information.
To prevent future revenue losses, businesses need to keep confidential information secure. Training employees is a critical step towards accomplishing this goal.
What Legal Incentives Exist to Encourage Data Security Training?
Already, state governments have started to offer legal incentives to implement cybersecurity and data training. These protections come in the form of safe harbor laws, which give companies an affirmative legal defense when a breach occurs if they have taken reasonable safeguards to protect information. Two states, Utah and Ohio, have already implemented such legislation.
In 2021, Governor Spencer Cox signed the Cybersecurity Affirmative Defense Act (HB80) into law. This law gives organizations that create, maintain, and reasonably comply with a written cybersecurity program at the time of a breach an affirmative defense to:
- A claim alleging that the organization failed to implement reasonable information security controls that resulted in the breach of system security.
- A claim that the organization failed to appropriately respond to a security breach.
- A claim that the organization failed to appropriately notify an individual whose personal information was compromised in a breach of security.
An organization may not, however, use this defense if they had actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information, did not act in a reasonable amount of time to take known remedial efforts, and the threat or hazard resulted in a breach of system security.
Taking advantage of these protections is voluntary for organizations, but these protections provide important legal benefits. To exercise this affirmative defense, the organization’s written security program must provide administrative, technical, and physical safeguards to protect personal information. These requirements can be fulfilled in many ways. For example, a program meets the requirements when the organization trains employees on practices and procedures to detect, prevent, and respond to a breach of system security.
Thus, training employees on security breaches helps employers in Utah establish an affirmative defense against breach-related lawsuits.
In 2018, Ohio enacted the Ohio Data Protection Act (SB 220), similarly providing a safe harbor for businesses who voluntarily implement reasonable cybersecurity measures.
Like the Utah law, the Ohio law protects any organization that:
- maintains and complies with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information, and
- reasonably conforms to an industry recognized cybersecurity framework.
Already, cybersecurity frameworks like NIST Special Publication 800-171 (listed in the Ohio law) recognize training as essential. The publication specifically states that employers should “[e]nsure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.”
Connecticut is also currently considering HB 6607, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses,” which would provide similar protections as Utah and Ohio.
These examples show the safe harbor laws several states have already implemented. They also indicate that this type of legislation is becoming more common, signifying that more states will continue to enact such legislation as cyberattacks become more common.
What Information Should Training Cover?
The reality is people make mistakes. Employers must be prepared for this and take steps to stop breaches before they happen. Training employees on phishing schemes and other commonly used hacking tactics is the best way to protect propriety company data. A study from 2015 found that security-related risks can be reduced by up to 70% when businesses invest in cybersecurity training and awareness.
All courses, however, are not created equal. An effective course is comprehensive and interactive, explaining the different types of potential hacks and attacks. This allows employees to spot potential breaches before they happen. Clear Law Institute provides practical training that teaches employees about:
Current Data Privacy Laws
Organizations that collect and maintain personal information must follow applicable laws such as the Health Insurance Portability and Accountability Act (HIPAA), Americans with Disabilities Act (ADA), and Family Education Rights and Privacy Act (FERPA).
Hackers can attempt to gain access to personal information and confidential data by installing malware on a user’s computer, tablet, or mobile device.
Ransomware combines the use of malware with extortion, encrypting files unless the organization pays a ransom.
Social Engineering Schemes
Cybercriminals engage in social engineering schemes by contacting a person through email or phone and trying to convince them to send a payment or reveal sensitive personal information.
Up to 90% of successful cyberattacks begin with email; emails can contain malware and are used in social engineering schemes. Identifying these schemes protects company data and confidential information.
Many cyber threats can occur because of how a person uses the internet. Using proper precautions when using file-sharing services and social media is essential to cybersecurity.
Employees use passwords to log into desktops, websites, and databases. It is important for those employees to use safe password practices.
Information security involves more than safe email, internet, and password practices. Employers must also implement physical safeguards such as secure thumb drives and printer access codes to prevent unauthorized access to confidential information.
Next Steps: How Employers Can Provide Effective, Personalized Training
The digitization of the workplace is not going away, and neither are cybersecurity threats. Workplaces must change and adapt to protect themselves. In a 2019 study of IT decision-makers, 38% cited cybersecurity training and support as the pillar of their company’s cybersecurity posture. The study also found that organizations that emphasize training are also quicker to detect and more efficient at isolating attacks. Modern, frequently updated employee training is the key to success.
Clear Law Institute’s customized Cybersecurity Awareness and Data Privacy Training course educates employees and helps protect businesses from costly attacks. This course teaches employees the knowledge they need to understand and avoid cyber threats through practical examples.
By educating employees on security threats and how to report data breaches, employers are reducing the risk of such attacks and the crippling impact they can have on the workplace. That makes this type of training vital for every employer.
Learn more about Clear Law Institute’s online training, Cybersecurity Awareness and Data Privacy Training.
About the Author
Michael Johnson, CEO of Clear Law Institute, is a former U.S. Department of Justice attorney. Michael has provided training and consulting for organizations around the world such as Google, FedEx, the United Nations, and the World Bank. He is a graduate of Duke University and Harvard Law School.