By David Kidd, Vice President of Governance, Risk & Compliance at Peak 10
In the aftermath of recent data breaches, two thirds of consumers say they don’t trust retailers with their payment and personal information.[1] But has pubic concern inspired action?
According to the 2015 ISACA IT Risk/Reward Barometer the majority of U.S. consumers (89 percent) want employees with access to their personal information to be cyber-security certified, but only 64 percent of businesses feel confident in their own ability to control their IoT device security.[2]
What’s the solution? There’s no single answer but one important strategy for keeping data private and secure on major holidays and beyond is to focus on people, not just on technologies.
Inside Job.
While technology is essential for protecting data, internal challenges can play a large role in data breaches. Why? For one thing, employee security training is not always implemented or is not implemented effectively. As a result, poor security awareness leaves organizations vulnerable to social engineering and advanced attacks. Careless or uninformed employees unwittingly infect their work computers with malware by clicking on pop-ups, downloading applications from the internet and opening links from unknown sources.
In the hands of negligent or disgruntled employees, every device that accesses the network or stores data is a potential risk to intellectual property or sensitive customer data. Investing in people can help protect mission-critical data.
A People-centric Strategy.
Following these five tips, which focus on employees, can help.
1. Develop an understanding of employee behavior and use it to help shape, implement and enforce good security practices.
Whether you work with outside consultants or your in-house IT security experts, take advantage of every opportunity to better understand how employee behavior and intent relates to security issues. Incorporate that information into your company’s IT security policies.
For example, consider work-from-home arrangements and Bring Your Own Device (BYOD). Employees that work from home pose a security risk due to use of personal e-mail and computers, and many will be using the same devices to do personal and company business.
2. Make data security part of each person’s job description.
While data protection should be integral to each employee’s role, unless it is spelled out as such, employees typically won’t make it a priority. Actively and regularly educate employees about the reality of risk and their obligations. Educate them on regulations and industry standards that apply to your industry and offer practical guidance for device security, information security and device management.
3. Implement frequent training on security/privacy at all levels of your company, executives included.
Information security training should start at the time of hire, and include an orientation on best practices for computer and mobile device usage, in addition to providing information on your company’s security policies. Make sure training also focuses on behavioral change, not just awareness of security and privacy risks. All the training in the world won’t minimize insider data breaches if people don’t change their actions.
Include a testing component to help ensure employees understand what they are learning. Also consider creating specialized learning modules for specific employee groups. That could include employees whose positions require knowledge of specific regulations such as the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS) or Safe Harbor. Update training content frequently to help everyone stay on top of emerging threats and other factors that affect overall data security and privacy.
4. Embrace the fact that data protection is not just an IT responsibility.
Employees at all levels of responsibility and across all disciplines must work together to protect critical data assets. When developing data security and privacy policies, involve representatives from across all areas of your company. Their input will help you better understand data use throughout your organization, privacy considerations and regulatory requirements, as well as potential roadblocks to implementation.
5. Keep data protection top-of-mind for all employees.
Use daily security tips that appear on the home page when users log on to their computers. Put IT security awareness posters in employee gathering areas. Implement incentive programs that award employees for suggestions that can help improve information security or for successfully mitigating data leakage.
Protecting data needs to stay front and center for the executive team as well. While many security decision-makers indicate that recent high-profile cyber-attacks on IT security have raised the awareness of their executives, awareness has not always translated into funding for security initiatives. Make use of opportunities to educate and rally senior management’s support for funding IT security budgets and for setting the tone for cybersecurity efforts in the organization. Often times, just informing them of data breaches at other companies and in other industries can boost their support for data security initiatives.
Other Tactics.
There are numerous other aspects to a people-centric data protection strategy. Among them: hiring qualified, knowledgeable information security staff and augmenting in-house security staff with third-party IT security expertise, products and services. Starting with an employee focus, however, can help you build a “human firewall” that can reduce the number of threats to data security and privacy — at least within the walls of your organization.
Partnering with trusted service providers who already uphold a strong compliance program, can also help shift this burden so your business can focus more on operations and success, helping young businesses ensure customers and data are safeguarded throughout the holiday season and beyond.
[1] Connexity, Nearly 2/3 American Shoppers Don’t Trust Retailers With Their Payment & Personal Information, February 3, 2015
[2] ISACA, ISACA’s 2015 IT Risk/Reward Barometer, 2015
David Kidd, Vice President of Governance, Risk & Compliance at Peak 10, Inc joined the Peak 10 management team in 2000 where he oversees legal affairs, governance, risk management, compliance and information security. He is the former president of the 7×24 Exchange of the Carolinas and has received professional training and certification through his involvement with the Disaster Recovery Institute International (DRII) and the Information Systems Audit and Control Association (ISACA).
