Whose job is it to protect corporate data? Management comes to mind first, typically a CISO, CSO or CIO. Next we think of security professionals and IT managers, who currently feel they bear the brunt of the responsibility for data security (our own survey showed many fear a breach would mean losing their job). With so many data breaches attributed to the Insider Threat, to people accidentally or intentionally putting data at risk, it’s clear that everyone needs to play a part in securing data. The question is, how?
— Absolute (@absolutecorp) June 6, 2016
I recently contributed an article to CSO Online talking about How Employees Can Share the IT Security Load. In the article, I share the importance of creating a strong security framework, one that includes security policies, training and technologies to support them. I look at a fairly common data breach scenario: a laptop stolen from an employee car. It happens more often than you’d think. But the example highlights just how weak that security framework was. Why wasn’t this critical data encrypted? Why was there no technology in place to remotely wipe the information on the device? Was the employee trained to not let a device containing such sensitive data out of his or her direct control? Were there written policies in place covering these issues? If so, were they routinely enforced and were offending employees routinely disciplined? Did anyone audit or monitor the daily operational security practices at this company?
This example isn’t just one mistake. It isn’t just an employee leaving a laptop in a car. There are many oversights like these that lead to data breaches, just as we see with other scenarios. It’s the phishing email that compromises a password which leads to a cyber attack. It’s the employee turning off encryption or deleting a key app designed to secure corporate data that leaves the whole network at risk. And these are costly mistakes, leading to millions of dollars in fines and class action suits.
It’s up to every organization to create, impose and maintain a security-conscious environment. We’ve talked about the importance of a top-down prioritization of data security, which helps every employee internalize the importance of keeping data secure. Employees aren’t going to keep data secure because you tell them to; they must understand why. In the CSO Online article, I recommend that every employee:
- Understand security and what needs to be secured. This includes understanding the value of sensitive data and the key steps to keeping it secure.
- Accept the fanatical need for security, even when it impacts productivity
- Keep an eye our for security gaps and speak up. Encouraging a culture that rewards employees for admitting mistakes early, or taking responsibility when a gap is noted, helps everyone accept the burden of keeping data secure
- Reward employees who demonstrate security awareness or who catch gaps
Keeping data secure is a hard job, and it’s one that IT should not bear alone. Let’s all step up to do our parts to safeguard sensitive data.
At Absolute, we’re doing our part to help you gain control and visibility into your mobile workforce and the sensitive data on those devices, no matter where they are. With this visibility, you can help enforce your data security policies and quickly respond to data that may be at risk. Learn more at Absolute.com