With all the advanced tools and technologies available to combat cyber-crime, viruses and the like, you’d think data would be relatively safe — and much of it is. As the media headlines indicate, however, a large portion of data continues to be compromised. It’s hard telling how much more may be at risk.
What’s the solution? There’s no single answer but one important strategy for keeping data private and secure is to focus on people, not just on technologies.
While technologies are essential for protecting data, numerous studies show that internal incidents continued to top the list of 2014 breaches. That includes Forrester’s Business Technographics Global Security Survey, 2014, in which 42% of those surveyed said that internal incidents in their organization were due to inadvertent misuse or an accident.
A study conducted by Cisco further noted that “39% of IT professionals worldwide were more concerned about the threat from their own employees than the threat from outside hackers.” Why? For one thing, employee security training is not always implemented enough or effectively. As a result, poor levels of staff awareness leave organizations open to social engineering and advanced attacks. Careless or uninformed employees unwittingly infect their work computers with malware by clicking on pop-ups, downloading information from the internet, opening links from unknown sources and via a number of other avenues.
The growing mobile workforce brings its own unique set of security challenges. Unencrypted USB drives, laptops, PDAs and other devices are an increasing threat to information security. In the hands of negligent or disgruntled employees, every device that accesses the network or stores data is a potential risk to intellectual property or sensitive customer data.
A People-centric Strategy
Just as there is no single solution for ensuring data protection, there’s also no single approach to developing a data protection strategy that focuses on people. Instead, it requires a multi-faceted approach. Following these five tips, which focus on employees, can help.
Develop an understanding of employee behavior and use it to help shape, implement and enforce security protocols, from BYOD policies to IT asset access privileges. Whether you work with outside consultants or your in-house IT security experts, take advantage of every opportunity to better understand how employee behavior and intent relates to security issues. Incorporate that information into your company’s IT security policies.
For example, consider work-from-home arrangements and BYOD. Employees that work from home pose a security risk due to use of personal e-mail and computers, and many will be using the same devices to do personal and company business. Restricting or limiting access to certain kinds of information may be in order.
Make data security part of each person’s job description. The majority of employees are most concerned about the requirements of their own job positions. That’s the basis of their performance reviews, continued employment, opportunities for advancement and, for some, their bonuses. While data protection should be integral to each employee’s role, unless it is spelled out as such, employees typically won’t make it a priority.
Actively and regularly educate employees about the reality of risk and their obligations. BYOD, for example, shifts significant responsibilities to employees to safeguard information, comply with the law and manage their personally owned technology to higher standards than they may be ready for or understand. Educate them on regulations and industry standards that apply to your industry and offer practical guidance for device security, information security and device management.
Implement frequent training on security/privacy at all levels of your company, executives included. Information security training should start at the time of hire, and include an orientation on best practices for computer and mobile device usage, in addition to providing information on your company’s security policies. Make sure training also focuses on behavioral change, not just awareness of security and privacy risks. All the training in the world won’t minimize insider data breaches if people don’t change their actions.
Include a testing component to help ensure employees understand what they are learning. Also consider creating specialized learning modules for specific employee groups. That could include employees whose positions require knowledge of specific regulations such as HIPAA, PCI DSS or Safe Harbor.
Follow up initial training with periodic refresher courses or, at a minimum, annual review programs. Update training content frequently to help everyone stay on top of emerging threats and other factors that affect overall data security and privacy. These sessions should cover any policy changes, updates to any applicable regulations and a general review of security awareness.
Recognize that data protection is just not an IT responsibility. Employees at all levels of responsibility and across all disciplines must work together to protect critical data assets. When developing data security and privacy policies, involve representatives from across all areas of your company. Their input will help you better understand data use throughout your organization, privacy considerations and regulatory requirements, as well as potential roadblocks to implementation or follow through. It will also enable you to establish data protection ambassadors who can help keep data security and privacy top of mind within their departments.
Keep data protection top-of-mind for all employees. Use daily security tips that appear on the home page when users log on to their computers. Put IT security awareness posters in employee gathering areas. Implement incentive programs that award employees for suggestions that can help improve information security or for successfully mitigating data leakage.
Protecting data needs to stay front and center for the executive team as well. While many security decision-makers indicate that recent high-profile cyber-attacks on IT security has raised the awareness of their executives, that awareness has not always translated into funding for security initiatives. Make use of opportunities to educate and rally senior management’s support for funding IT security budgets and for setting the tone for cybersecurity efforts in the organization. Often times, just informing them of data breaches at other companies and in other industries — and the fall-out from those breaches — can boost their support for data security initiatives.
There are numerous other aspects to a people-centric data protection strategy. Among them: hiring qualified, knowledgeable information security staff, and augmenting in-house security staff with third-party IT security expertise, products and services. Starting with an employee focus, however, can help you build a “human firewall” that can reduce the number of threats to data security and privacy — at least within the walls of your organization.