Most organisations still believe that hackers and external threats are the biggest risk to their business, but what if the threat comes from within?
According to data security company Code 42, 78% of security professionals state that negligent and careless staff are the biggest threat, and responsible for an average of up to ten security issues per month. These security breaches can lead to significant business disruptions, fines and in the most dramatic cases business closure.
The incidence of accidental loss of data is rising, fuelled by the increase in unstructured data, time pressured resources and the lack of data and security controls. Some reports state human error contributes to over 50% of the data loss incidents, and is also the most damaging of all data loss incidents. Over the past few months we have been referring to an excellent cartoon produced by the well-recognised artist John Klossner which depicts a standard employee (‘Dave’). As you can see below, despite the massive budget spent on perimeter security such as firewalls and intrusion detection, ‘Dave’ is still the weakest security link in and with one simple mistake can cause more damage to the business than it could ever imagine.
Tips to increase security awareness
So how do you avoid employees making simple mistakes?
- Awareness of data value – Firstly organisations need to ensure employees are aware of the value of data that they are creating and sharing each day – what it means to the business, what risks it would present if lost or leaked. This is where data classification really comes to the fore, and through visual labels or tags (either through user-applied or automated classification approaches) the employee can immediately understand the importance of that data.
- Don’t just share security policy – enforce it – It isn’t good enough just to share your corporate security policy via the company intranet. No user pays any attention to this and it therefore becomes impossible to implement and police. Policy must be kept simple but it must be easily enforceable, and data classification tools can help here.
- Monitor, report, analyse, remediate – Once your users are on the team, you need to keep an eye on what they are doing in relation to your policy – not only to ensure you can get an accurate idea of your compliance or governance position, but also to spot potential risky insiders. Given that the average quoted time to identifying a data loss incident is over 100 days, the sooner you spot risky behaviour the better. As you are not resorting to a solution and are involving your users, applying security policy means you have the opportunity to pin point any potential behavioural risks. For example, an employee sending unusually large amounts of confidential data to their personal email address. You can then address them via training, education or perhaps in more serious situations disciplinary proceedings. As a result involving your users reduces your business risk of data loss.
Ultimately organsiations need to make their employees part of the solution, not part of the problem. Only by engaging and empowering them to proactively support your security policy and approach will you create a strong security culture.