Data-First or Employee-First?

Written by

One only has to look at the imbroglio surrounding breaches such as Target, Sony Pictures Entertainment, or, more recently, the Office of Personnel Management, to see that we are living in a new era. Information security has gone mainstream; it’s now a business-critical issue, and no longer an esoteric preserve of IT or risk management sages.

Moreover fortunes can be won and lost, careers made or broken, and corporate reputations built or destroyed on the integrity of data security practices – and companies’ responses in the wake of now-inevitable incidents.

But as the world of business is rudely awoken to the reality of the modern threat environment, it’s clear that a degree of recalibration around information security must follow.

In the post-Target world, it is more important to identify and protect valuable data as a matter of priority, rather than focusing primarily on securing end-points or putting up digital walls around the network (though these things are still relevant).

This data-first approach makes sense. Mapping your valuable digital assets and identifying the kinds of information hackers are likely to want, and protecting those as a matter of priority, will necessitate that you gain a better understanding of the virtual riches you risk leaving unguarded.

In addition, by seeking to protect the precious resources that criminals are actually after (whether it’s IP, financial data, or employee details) your business must prove first of all that you can think like the hackers: know your enemy.

And while it may seem obvious to those who practice information security every day that employee PII or the spreadsheets in the accounts department’s public folder are hot property, and need to be handled carefully whenever used, not every employee, senior or otherwise, thinks like that.

By thinking first about what you are trying to protect, rather than the means of protecting it, you can make an appropriate change in mind-set and reap the benefits.

The next challenge is making sure that everyone within your organization shares the same appreciation for the value of the data they’re handling. This is a battle that many companies seem to be losing, not necessarily through want of trying.

Research published this week by Fujitsu found that just 7% of UK employees rate business data as more valuable than personal data. A significant 43% said they had no idea of the value of business data. New data from Sophos, meanwhile, found that half of public sector workers in the UK are unsure whether their organizations’ cybersecurity provisions provided adequate protection against the growing threat of cybercrime – highlighting yet again the low awareness among the wider employee base.

To adopt a data-centric approach to security, it’s no good if the only people who acknowledge the sensitivity of certain kinds of data and the need to protect it are sat in the depths of the IT department, or somewhere on the top floor rubbing shoulders with the C-suite.

Securing your data starts from the ground up, meaning every employee should know as a matter of course what sensitive data comprises and how to act around it – how they access it, who they send it to, when and where they work with it, etc.

Unless this minimal benchmark is hit, it’s simply not going to be possible to develop trustworthy all-round security. No amount of money invested in great solutions or highly qualified professionals is going to suffice if the majority of your workforce doesn’t share the same ideals.

That’s not to say employees are inherently negligent or uninterested – it’s just that the modern security environment necessitates you take a new approach to education.

A few training videos once or twice a year isn’t going to cut it anymore. Strong investment in developing effective education schemes around security, rather than putting every egg in the technology basket, would be a good start.

What’s hot on Infosecurity Magazine?