Policies and procedures are useless if no one is aware of them. But even better than satisfying mandatory training requirements is setting up systems so that users cannot violate policy, while still being able to perform their jobs.
“Often employees think someone at a higher level is taking care of their data security when in fact the employees are really a major part of the security processes,” he said.
“While on the surface this doesn’t affect the company, the lapse in judgment shows that employees don’t even know how to secure their own information, let alone the company’s data,” Spinosa said. “It also illustrates a problem where employees may be assuming that protections are in place when they aren’t.”