Security Fridays: Week OneSESadmin 22/01/2020 Industry News
How educating employees on the importance of data protection can lower data breaches and data loss
The avoidance of security measures has been around for as long as security measures have existed and the reasons generally fall into three categories, either lack of appropriate education, negligence or malicious intent.
While most organisations do perform some type of security training, it’s generally performed from the point of just mandating what must happen without any explanation as to why, and as a result it does not actually fulfil the needs for which it is designed.
Your average worker wants to do a good job, they want to do it as quickly as they can and in as few steps as they can. It’s a heady mixture of efficiency and laziness that drives us all. Anything that’s not producing the output that person is tasked to perform, is therefore pointless and easily forgotten. It doesn’t, in their minds affect them or their work, so why does it matter? Better to keep their nose to the grind stone and just do their work forgetting all that extraneous information.
All this stems from the problem, that security training doesn’t attach appropriate value to the things it asks users to do. It relies on the idea that people should just do what they are told and that’s enough. But for rules to stick, it’s much more important to attach an emotional anchor to the information.
Telling someone that if they send an email with personal information within it, it might lead to a company being fined, is too ephemeral. The company’s profits are a number they don’t tend to feel directly invested in, unless they own shares of course. However, the idea that the loss of personal information causes losses that need to be recouped, to the degree that it could lead to a loss of staff, or facilities? That’s something they can understand. In some organisations, the loss of data could lead to people losing their houses, or an abusive ex being able to find their spouse in sheltered housing, stalkers finding their victims, etc.
Making people understand that the loss of data isn’t just a thing of numbers but has real actual consequences can instill an understanding and enable people to become invested. As individuals, they are taking steps that protect people or jobs which makes people far more invested.
This applies to negligence as well, as much as people can forget the rules in the first place, people can choose to ignore them if they don’t believe in their worth in the same way.
Malicious behavior is a little trickier as people are choosing to act against the rules for personal gain. In these cases, technological measures such as Access Governance tools and Data Loss Prevention tools are essential.
Governance provides the ability to prevent people from having access to data that they might be tempted to abuse and to enforce division of duties so that no individual can access too much sensitive data to gain value.
Data Loss Prevention instills the controls that prevents the abuse of the data, the person does have access to. Preventing its release in unapproved ways, stopping its ability to be copied or turned into a physical form such as on a USB drive or printed document.
These type of technologies turn the security policy into a technologically enforced item rather than just a document that users can forget or ignore.
So the things that can be done :
- Obtain user buy in by explaining real human consequences to their actions and how the loss of data or breaches can have real life costs.
- Invest in suitable technological controls such as Data Governance and Data Loss Prevention.
- Audit everything, only by tracking actions can you spot the problems you need to address.
Read the article that was analysed here: https://www.itproportal.com/news/employees-are-deliberately-circumventing-security-policies/