client login    languages

Information Security Training Master Class: Winning the Battle Against Data Breaches, Malicious and Negligent Employees, and Natural Disasters

Request A Demo of Our Ethics And Compliance Solution

Information Security Training Master Class: Winning the Battle Against Data Breaches, Malicious and Negligent Employees, and Natural Disasters

Part 1: The Basics

Disclaimer: I am a crazy person. I read over 50 articles before I wrote this (WHO DOES THAT) and I’m not even sure how I got so sucked in. In short, information security is a big deal right now – and there are tons of ways to combat cybersecurity, risks. Tons. Bad news for my eyeballs, but good news for you, because it means that there are so many ways to protect your organization. Trust me – if you don’t find one new piece of advice in here, I will be very surprised – and sad.

Earlier this semester I had an amazing IT class on information security. I’m going to go ahead and give a shout out to my IT professor Dave Chatterjee, because I’m about to shamelessly plunder the information from his class for this post, in addition to all the articles I mentioned above.

First, some stats.

Startling Statistics: Information Security and Data Breaches

From research by Professor Chatterjee:

  • 60% of all attacks are caused or aided by disgruntled employees
  • 90% of companies will experience some sort of a data breach this year

From Time Magazine:

  • New York institutions alone faced 900 data breaches last year, costing a reported $1.37 billion
  • One-third of New Yorkers were data breach victims in 2013

Highlights from the 2014 OTA Breach Report:

  • 89% of breaches and data loss incidents could have been prevented
  • 740 million records disclosed
  • 31% of incidents were due to insider threats or mistakes
  • 21% of the incidents were the result of physical loss (PC, drive, notebooks, paper documents..)
  • 40% of the top breaches recorded to-date occurred in 2013
  • 76% of breaches were the result of weak or stolen account credentials

You have to admit, the class was timely. With P.F. Chang’s recently reported data breach, not to mention last year’s high-profile data breaches at Living Social, Target, Neiman Marcus, Michael’s stores, and now potentially Home Depot, information security is a hot topic. Time even wrote a cover story on it – “World War Zero: How Hackers Fight to Steal Your Secrets.”

What should be an even hotter topic is that businesses don’t get hacked more often, considering the sheer volume of attacks they face. Or perhaps they do get hacked more often, and they just don’t know about it. Last year, 3,000 companies didn’t even know they’d been attacked until the government informed them of their victim status.

That’s pretty terrifying from a personal information security standpoint – I would hope the companies harboring my personal information would at least be aware if their information, and therefore my information, was compromised.

According to Vice, 2013 was the worst year for data breaches. They may be speaking from personal experience – they were hacked just a few weeks ago, and in November of 2013 they were reportedly hacked by the Syrian Electronic Army. (To their credit, Vice seems to be taking their own advice: they were well prepared for the attack, passwords were encrypted, making them virtually useless for the hackers, and the vulnerability was patched almost immediately.)

Vice interviewed two members of the Online Trust Alliance (OTA) which recently published the 2014 Data Protection & Breach Readiness Guide (one of the primary sources I consulted for this series.) I found these two quotations from the Vice interviews particularly insightful:

“Data breaches are nothing new and have been around for quite some time; however, what we are seeing is a significant increase in incidents that not only harm consumers, but businesses as well, leading to a breakdown in consumer trust,” said Tim Rohrbaugh, VP of Information Security for Intersections Inc. and OTA Board Member. “Having a rigid, black and white approach to security controls and monitoring and being unprepared for an incident will cost businesses more in the end.”

Online Trust Alliance President Craig Spiezle told me [Vice] that users need to take a more holistic view of privacy and security. “In today’s data driven economy, your data strategy can be a competitive advantage, but only if you are good stewards of the data,” he explained. “Being compliant is not good enough. On an ongoing basis re-evaluate the business purposes of collecting and storing data; review which employees need to have access; and review the policies of your cloud providers.”

“Being compliant is not good enough…” This phrase in particular struck a chord with me, as I feel like the compliance officer’s role is expanding exponentially. We often emphasize that training can’t be once and done, awareness programs need more than a poster, Codes of Conduct need to be more than scripted legalese booklets… Nothing is “good enough” without ongoing input from the compliance team.

That’s bad news for resource-strapped compliance teams. It gets worse:

In a survey of senior-level compliance professionals, nearly 44 percent of respondents also said the chief compliance officer (CCO) is only responsible for privacy compliance and breach disclosure after an incident, but has no role in addressing cyber security risks before one. Seventy-five percent of compliance officers are not involved in managing cyber security risk.

That’s unacceptable. If there’s one thing I’ve gotten out of my IT class thus far it’s that IT can’t do everything alone. Compliance can’t either. It’s time to buddy up and share the load. While the Kroll report implies that perhaps compliance officers aren’t comfortable or familiar with the more technical aspects of cyber security, there are plenty of other pieces that the compliance officer can get involved with including information security training.

Join us next week for Part 2 of this series!

For More Information About Information Security Training, Check Out These Resources:

About the Author

Pia Adolphsen, Associate Manager of Marketing Content Strategy. Pia leads content strategy at The Network. Previously, she led client advocacy and marketing initiatives in the competitive intelligence industry. She is strongly in favor of lattes, 1.0mm pens, and her Georgia Bulldogs. Connect with Pia on LinkedIn


  1. September 23, 2014 at 8:12 pm

    […] Part One of this series, I laid out data breach statistics that were at best startling, and at worst […]

    Reply »
  2. September 24, 2014 at 12:53 pm

    […] Part One of this series, I laid out data breach statistics that were at best startling, and at worst […]

    Reply »
  3. October 7, 2014 at 4:36 pm

    […] Part One of this series, I laid out data breach statistics that were at best startling, and at worst […]

    Reply »

Leave a Comment

We would be glad to get your feedback. Take a moment to comment and tell us what you think.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Awards & Certifications 2013 GRC 20/20 Technology Innovation Award 2013 TAG Top 40 Innovative Company 2012 IABC Gold Quill Award 2012 MarCom Award We self-certify compliance Safe Harbor Safe Harbor Certification SOC 2 Certification