Data breaches in an organisation can lead to fines, identity theft and a damaged reputation. The effects can be extremely damaging and it is now recognised that many companies are failing to focus their efforts on one of the main problems - their employees.
Has information security got the right focus?
The Global State of Information Survey 2010[1] compiled by PwC reveals that business leaders see data protection as one of their most important priorities, yet many remain unaware that the biggest threat to their data security is not necessarily technology, but rather their employees.
It also shows that only 48% of companies surveyed in the UK have an employee security awareness programme, while the figures for the global leaders in this area, the US (64%) and India and Australia (59%), are much higher.
In the past the security industry has aimed to solve technical issues with technical solutions, however 25% of respondents to the Computer Security Institute’s Computer Crime and Security Survey[2] reported that more than 60% of financial losses came from insider breaches rather than external hacks. It would therefore seem that technical solutions to particular issues are creating a false sense of security among businesses.
Based on our experience of advising companies on their information security practices, we know that the total cost of rectifying problems after a data breach can be immense - far more than the amount that, if invested wisely, could have mitigated the risks. This was confirmed by a recent research paper by the privacy and information management research firm the Poneman Institute[3], in which it has been calculated that the total cost per lost data record is £134; numbers which add up very quickly when a significant amount of records are lost.
People power and data security
Patience is a virtue that many people, especially while at work, do not possess. Improved electronic security measures can result in cumbersome processes which, if deemed a nuisance, will be bypassed by users, leaving the system no better protected.
Although technical defence and security technology is vital to the protection of electronic data and networks, systems remain inherently vulnerable to both negligent and malicious acts. There is always a human element; negligence, ignorance, or curiosity can give rise to serious incidents.
In light of the data security risks posed by employees of an organisation, a new approach is required in which an investment in understanding and influencing the behaviours of all those concerned is balanced against the continued investment in technology and processes.
The investment should be in people. Make them the first line of defence against –rather than the cause of – security incidents. The return on investment from a well- formulated and executed strategy to develop the right behaviours around information security stands up very favourably when compared to the ever increasing level of investment in technology based solutions.
The first steps towards employee-orientated security
As the first line of defence, security-aware employees will often be best placed to identify a potential breach or a weak link. Equally, savvy employees can prevent and reduce the impacts of incidents when they do occur.
An investment in security awareness can pay for itself many times over. Good security awareness has clear benefits and, as part of a balanced set of measures, can help in:
- reducing incidents of theft, loss and fraud;
- avoiding breaches of law and/or regulation, with associated fines and adverse publicity;
- ensuring continuous availability of business-critical information;
- protecting brand and reducing the potential for reputational risk; and
- enabling the use of security as a positive marketing differentiator.
A security-aware workforce will provide improved protection for an organisation’s assets in a cost-effective and efficient manner and give rise to an environment where all staff members are committed to the protection of an organisation’s information assets.
Changing employee attitudes
Senior business managers should be setting an example for their employees by rejecting the all too familiar assumption that ‘it won’t happen to me’. Anyone can be the cause of a data breach through ignorance or negligence, and spreading the message to employees can help reduce the risks considerably.
It is also important to point out the flaws in trusting technology alone to keep data safe. ‘If it has a password, then it is safe’ is another line of thought that is simply inviting data breaches.
A lack of understanding can provide a false sense of security among a workforce, so it is important that the workforce feels responsible for security, as no security measure will fully protect the organisation if the workforce does not implement it on a daily basis.
Employees will feel obliged to protect their organisation and its clients if they care about the company’s goals and aspirations, understand why it is important to keep data secure, and understand and feel trusted in what they are required to do.
Changing employee behaviour
The main objective of any awareness-raising approach is that it should lead people to exhibit new behaviours. However, human behaviour is complex and simply telling people what to do is seldom enough to make people change the way they act.
There is value in considering the regular points of contact that an organisation has with employees, which are all opportunities to influence behaviours, values, and attitudes and provide consistent messaging on information security issues. A relationship will start with awareness of an organisation before an application for employment and continues through recruitment, induction, training, performance management, reward and all other people processes.
Internally-developed security awareness schemes rarely have sufficient time and resources devoted to them and the budget required to run such schemes is not always held by the security function. Security awareness is often considered important but not urgent but we would suggest that businesses implement a shared governance responsibility across multiple functions including HR, finance, IT, and legal and sales to ensure security awareness messaging does not get lost.
Traditional computer-based training packages on the surface appear to satisfy audit and compliance requirements but in reality offer a false sense of security to management and staff. Because they are seen as a tick box activity, they are often rushed and have little impact on day-to-day behaviour. They can also create confusion and resentment among staff who feel they have been made responsible for information security yet do not have the knowledge to be able to act in a decisive manner.
Concise and accessible policies and processes are also essential, as is the support provided to employees and those who buy from or use an organisation’s services. A well thought out approach to developing the right behaviours will ensure that all those working for an organisation will be alert to risks, will want to act to protect it and will know that they will be actively supported in doing so.
Awareness schemes should be tailored to ensure topics are relevant to each individual staff member’s role while consistency and cohesion are key to maintaining employee interest. A programme that develops over several years with a common theme and effective measurement of progress against robust benchmarks is a minimum requirement to ensure the right messages get through to the right people.
Now more than ever it is crucial that organisations begin to recognise the importance of improving their security culture and awareness. Employee attitudes and behaviour can provide a significant and powerful layer of defence in an ever more complex and challenging security world.
[1] www.pwc.com/gx/en/information-security-survey
[2] http://gocsi.com/survey
[3] www.ponemon.org