As intellectual property and critical data continues to extend into every corner of an organization, information security becomes everyone’s problem and everyone’s responsibility, writes Simon Church
The threat of cyber-attacks is increasing and the impact of serious data breaches has never been greater, with hackers finding ever more sophisticated ways to breach corporate defenses. The results can be both devastating and costly, with the impact costing large UK organizations somewhere between £600,000 and £1.15m on average according to the Department for Business, Innovation & Skills’ Information Security Breaches Survey 2014.
Our recent Risk:Value report, designed to assess the level of risk within organizations and the value that senior executives place on data security, found that over half (56%) of UK businesses fully expect to suffer a security breach at some point. The problem is that there are varying attitudes by employees on how to behave when it comes to accessing their company’s data securely. Just 21% believe accessing data safely is the joint responsibility of them and their IT team and 28% rely on their own judgment of what is ‘safe behavior’, while around half rely solely on IT.
It is clear that organizational culture needs to change – and change quickly. It’s no longer acceptable for staff to ignore their roles and responsibilities when it comes to data security, and it’s no longer acceptable to expect the IT department to take sole responsibility. We will see an even greater need for staff to step up to the plate when it comes to protecting corporate data as they continue to expect greater mobility and improved ways of working, increased collaboration and the use of cloud-based tools and applications.
It’s interesting that employees also behave quite differently when it comes to protecting their personal data compared to work data on their devices. The Risk:Value report revealed that a fifth value their own personal data more than work data, while 55% value them equally, suggesting that employees do not always recognize just how valuable their company’s data is.
Cybercrime is bad for business, but if staff are your key security weakness, then you have a problem. Employees often fail to follow even the strictest security policies and procedures, not for malicious reasons but often because they are busy and looking for the easiest way round it. It’s also perceived as a bit technical and all too often seen as ‘someone else’s job’.
Relevant training and awareness-raising programs are important to help staff understand their responsibilities, and change their behavior. But any education programme must be combined with well-defined, measurable goals and an understanding of the intended audience.
"Any education program must be combined with well-defined, measurable goals and an understanding of the intended audience"
If businesses can figure out a way to use training and awareness to change employee behavior, an organization’s cyber risk could drop dramatically. Aberdeen Group, in an analysis of 29 independent benchmark studies involving more than 3,500 enterprises, found that leading performers were 70% more likely than the lagging performers to have invested in awareness programs for their end-users.
But more important is the need for executive support. Data security is the responsibility of the board too and it starts and finishes at the top of every organization. Unfortunately, at this level, all too often it is still associated with issues like data protection compliance and regulation, when in fact securing data properly is absolutely critical to enabling businesses to thrive and survive. It’s time for boards to be more receptive and for information security and the associated risks to be brought to the center stage.
Having the right processes and technology are important of course, but it is equally important not to ignore the people. Everyone within an organization – from the top down – must see information security as their responsibility and not someone else’s. They can help play an active part in protecting their company’s critical data, while supporting its overall security and risk posture.
About the Author
Simon Church is CEO of NTT Com Security. Prior to NTT Com Security, Simon was at VeriSign where he held the VP position responsible for enterprise security services, including managed security services, security consulting and threat intelligence. Prior to VeriSign, Simon was the vice president and general manager EMEA at NetIQ, a role gained through the acquisition of Mission Critical Software by NetIQ in 2000.