We all know about Equifax. We all roll our eyes at Yahoo’s remarkably regular revelations that their hack, announced last year, is “worse than previously thought” (they seemed to have bitten the bullet this time and admitted all of their accounts were compromised).

Ultimately, based on the past six months, it’s safe to expect news of a large-scale cyber attack every other week.

While the impact of these attacks is obviously negative, the heightened awareness of cyber threats has been good for understanding the consequences and severity of cyber security and has created urgency among businesses to prevent cyber attacks.

Awareness, though, doesn’t equal prevention. In order to truly strengthen cyber security, businesses need strong policies that focus on communication and training.

Much of the attention paid to cyber security issues is fairly devoted to malicious external actors. External threats pose an incredibly serious risk to information security. However, to fully secure a company, a cyber security policy needs to also address internal risks and exposure.

Internal actors–employees, staff, contractors, etc–represent a potential vehicle for cyber attacks. Nearly 90% of cyber attacks are caused by human error or actions. Due to the increased use of mobile networks outside of company security systems, particularly through remote work and mobile devices, businesses face a higher risk of data exposure than ever before.

To combat internal cyber risk, businesses must maintain cyber security policies that emphasize communication and training. Focusing on these two aspects of cyber security policy improves employee understanding of policy and information security best practices, thus reducing the amount of risk they generate.

Mobile Economy Amplifies Internal Cyber Security Risk

Internal risk is pronounced by the mobile extension of the workplace. The use of personal mobile devices, particularly for remote-location work, exacerbates security risk.

CompTia reports that open Wi-Fi networks are the largest security concern for mobile workforces. While most companies have protocols against using public or unsecure Wi-Fi networks, the barrier between a secure and unsecure network isn’t always clear. For example, Wi-Fi networks in public spaces often have passwords, which may give the impression that a network is “protected”. However,  a coffee shop Wi-Fi network with the password “Coffee” does not exactly measure up to an enterprise-grade firewall.

Internal Risk Extend Beyond Mobile Exposure

Unfortunately, avoiding unsecure networks will not cure all cyber security woes. Businesses face internal risk within the comfortable confines of the physical office space as well.

For example, over half of businesses have experienced an email phishing attack in the past year, more common than any form of external attack. Email phishing scams are just as likely to occur at someone’s desk as they’re out in the field (although they may be better defended if the user is operating on a more secure company network).

Another form of internal risk businesses face is failing to update security software and install multiple layers of security. In fact, the CEO of Equifax blamed their security breach on a company individual who didn’t follow through on updating and maintaining their security software. Regular maintenance of information security systems is a necessity in today’s workforce. Oversight in this area is a fundamental internal error.

Communication and Training Reduces Internal Cyber Security Risk

Human error is a palpable cyber security risk factor, there is no doubt in that. However, internal exposure cannot be easily explained by careless employees. Employees don’t always know when they’re putting their firm at risk. Consider an employee that works in the Accounts Payable department: Opening emails from unknown sources is part of their job. If they open an email loaded with a virus or malicious script that attacks company systems, is it really their fault?

To reduce the threat of internal actors and improve information security, businesses need cyber security policies that focus on communication and training. Open communication and training are keys to success in nearly every aspect of a business. Cyber security is no different. The better that employees understand policy, the more likely they are to carefully follow it.

The adage, “practice makes perfect”, applies as a directive for strengthening a cyber security policy through training and communication. Have seminars and meetings to discuss best practices for information security. Require that employees pass a “test” to ensure they understand policy regulations. Send test phishing emails. Some of them will trick employees, that’s okay. The more exposure employees have to the type of language and format of phishing scams, the more likely they will recognize a real one.

Strong Cyber Security Addresses Internal and External Threats

Cyber security occupies a growing place in the public and business conscious. With every report of a large-scale cyber attack, the level of urgency businesses feel to strengthen information security escalates.

The best approach to cyber security is holistic and strong policy designed to prevent internal threats in addition to malicious external actors. Businesses accomplish strong defense against internal risk through policy that focuses on communication and training.

The threat of external attacks will always remain and should be a primary concern for businesses. Communicating and training helps employees better understand policy, which in turn increases compliance and the effectiveness of cyber security.