A “blind survey of 200 IT and IT security decision makers in the federal government, military and intelligence communities” (SolarWinds Federal Cybersecurity Survey Summary Report 2015) found that “federal IT pros identified careless and untrained insiders as their greatest source of cybersecurity threats – over malicious external sources such as hackers and terrorists”.
53% of respondents think that careless and untrained insiders represent the largest source of security threat at federal agencies – up from 42% in January 2014 – and only 31% profess themselves “very confident” in their security policies’ ability to combat insider threats. 14% are not confident at all.
Although 43% of respondents consider the most damaging insider threats to come from malicious insiders, a considerable threat also comes from inadequately trained staff not following proper security procedures.
According to the report, phishing attacks – in which unsuspecting users are tricked into downloading malware or handing over personal and business information – accounted for 49% of accidental insider IT security breaches.
When everyone in an organization can jeopardize its security through a single mouse-click, the importance of staff awareness training – including how to recognize phishing attacks – cannot be underestimated.
Best-practice information security management
Staff training is an essential component of best-practice information security management, as set out in the international standard ISO 27001. ISO 27001 details the specifications of an ISMS (information security management system), a holistic approach to information security risks that encompasses people, processes, and technology.
The external validation provided by accredited ISO 27001 registration is likely to improve an organization’s cybersecurity posture while confirming to stakeholders, suppliers, and staff that best practices are being employed. It is also often the case that companies will achieve compliance with a host of legislative frameworks – including state data breach notification laws and federal regulations such as FISMA, the GLBA, HIPAA, and SOX – and international standards like the PCI DSS simply by achieving ISO 27001 registration.
Learn more about ISO 27001
If you’d like to learn more about ISO 27001 and how it can help your organization boost its information security, then download our free green paper: Information Security and ISO 27001 – An Introduction.