Compliance and Employee Behavior Bother Data Security

Compliance and regulation and the unpredictable behavior of employees have the biggest impact on data security, according to research.

A survey of 304 IT professionals by HANDD found that 21% of respondents felt regulation, legislation and compliance will be one of the greatest business challenges to impact data security, while 21% believe that the behavior of employees and their reactions to social engineering attacks also pose a big challenge.

“Employees are probably your biggest asset, yet they are also your weakest link, and so raising user awareness and improving security consciousness are hugely important for companies that want to drive a culture of security throughout their organization,” HANDD CTO Danny Maher said.

HANDD determined the top challenges to be: regulation; managing access to data; education and awareness; skill and resource and employee pushback.

Mark Taylor, managing consultant at NTT Security, said: “We have to keep in mind that compliance and regulation is driving businesses and business leaders to tighten up their data security, improve their knowledge of risk and their role in leading information security in their businesses, which is why it is seen as a significant challenge.

“A key benefit of the coverage of subjects such as GDPR is that it will improve knowledge of information security at a society level, which is a positive, but people are still at the very heart of information security and whilst businesses continue to support improvements in awareness they still need to focus on the fact that people are often a weaker link when it comes to clicking on phishing emails, opening attachments or simply considering the structure of their passwords/phrases.

“Businesses also need to adapt the way they communicate to reflect this challenge and support the training they provide staff, as an example - sending out staff surveys which ask a member of staff to click on a link is counterproductive to the efforts spent trying to discourage employees from doing this due to the phishing risks.”

Speaking to Infosecurity, Nuix CISO Chris Pogue said that compliance should be the floor, not the ceiling, and security professionals will always see it as the ceiling. “So organizations need to get a better handle on what it means to become compliant as it doesn’t mean you are safe or secure, it means you have met the minimum requirements of your industry to operate,” he added.

“I’ve been a PCI auditor QSA for 13 years and [compliance regulations] are all the same – they are checklists, it just depends on who writes the checklist and what the vertical is, but everyone has their own governance, risk and compliance regime.”

Pogue said that historically, organizations have said that they are compliant so they are not responsible for a data breach, but being compliant is a point in time assessment. “We’ve seen organizations legitimately be disingenuous where they set up their compliance requirements and the auditor leaves and they change back and they say that they are compliant.”

What’s Hot on Infosecurity Magazine?