The three domains of security – Cyber, Human, and Physical – are fundamentally intertwined and have equal value in any general discussion of security. Ensuring one domain of security therefore requires that the other two are ensured as well. Conversely, when an issue appears within one domain, it can have an adverse effect on the others. When it comes to protecting corporate equities, issues to general security are often produced by a single, key ingredient: “the human element.” The human element is the sum of individuals’ behavioral patterns and decisions. When business officials are devising security policies, both the decisions made during that process and the level of attention with which they are carried out reflect the human element. In this sense, the human element is the first line of defense when it comes to security. It is important to note that a 2014 IBM security study established that human error is at the root of 95% of all security incidents.
Most security awareness programs inexplicably (and perhaps irresponsibly) overlook the importance of being comprehensive in their security approaches. These programs lack comprehensiveness because they do not educate employees about their individual roles in the entire organization’s security program. Organizations often overemphasize technical controls without any mention of what to do in response to the physical concerns they encounter. As a result, the physical concerns are often neglected. When these concerns are allowed to go unresolved in the absence of personal controls, the consequences can become a sizable financial burden for an organization. In addition, these lapses in security present especially inviting conditions for malicious actors seeking to attack an organization.
Just last year, it was reported that the U.S. Department of Health and Human Services fined the Children’s Medical Center of Dallas $3.2 million due to a Health Insurance Portability and Accountability Act of 1996 (HIPAA) breach that resulted in the impermissible disclosure of electronic protected health information. The breach resulted from the loss of an unencrypted Blackberry device and a laptop which contained the sensitive medical information of about 6,260 patients.
It is vital that security awareness programs include education about best practices associated with a business’s policies and procedures. This starts with fostering a corporate environment where “security is everyone’s responsibility.” All employees should participate in security awareness sessions to better understand the threats that they may encounter. These sessions can offer insights into mitigating existing risk, identifying future risk, and properly reporting suspicious activity before it can become a vulnerability. Meaningful training that strengthens the most common source of security risks is the first step in mitigating the probability of an incident.
Creating meaningful training occurs through varied and routine security awareness sessions. These sessions should focus on both instructional and practical implementation of concepts discussed. It is also important to ensure employees are engaged during these sessions so that they can internalize the information they are given. This creates buy-in from employees and helps them better understand their part in the protection of people, equipment, and other business assets. The most important barometer for success in this sense is that employees feel more connected, rather than inconvenienced, by their role in ensuring company security.
As it happens, employees often perform the basic responsibilities of their individual role without any knowledge of an organization’s security priorities. Therefore, it is imperative to the viability of any organization’s security program that a clear security policy is established. In so doing, the organization can point to a clear framework for training employees about security. This is becoming more important as the threats of active shooters and home-grown terrorist attacks are becoming more common. Specifically, as these threats appear more often and with greater magnitude, many local and state governments have implemented laws requiring that businesses develop and rehearse security protocols.
GRA Maven’s team of security experts and experienced legal counsel will meticulously evaluate and/or develop your security awareness program. In either case, the result will be a security program tailored to the dimensions and concerns of your organization. We will conduct a thorough assessment of your organization to provide critical training recommendations. Whether it is by augmenting your current security awareness training, designing an active shooter response, establishing measures for crisis management, or instituting an official policy on workplace violence, we at GRA Maven are more than equipped to strengthen your organization’s security program.
Contact us today to learn more.