“We trust our employees, that’s why we don’t… “ restrict their access / secure their personal devices / restrict the movement of data. Trust is an interesting thing, when it comes to data security. Can you rely on trust alone? The answer is no, and not because employees can’t be trusted (though sometimes malicious intent does compromise data), but most often because employees make mistakes. They copy data to somewhere insecure. They lose a device. They compromise their device / the corporate network by clicking on a phishing email. They share the same insecure password among personal accounts and corporate networks. Mistakes happen, and CIOs and IT admins must first admit that employees are the weakest link in protecting data, no matter the level of trust in the relationship.
Perhaps this fallacy of trust is why employees are slow to change their policies & technologies to better protect data. Earlier this year, the Verizon DBIR tied 90% of all security incidents back to “people,” whether mistakes, phishing, bad behaviour, or lost stuff. Despite this, we see organizations lagging in their response to this “people” issue.
A new report by IDC for Actifio indicates that many areas of data security that could be considered “low hanging” (easy to implement) are often overlooked. Only 39% of organizations have “very strong” authentication, permissions and audits. Only 29% encrypt data at rest and 33% encrypt data in flight. These are very low figures. Some of the largest breaches, including that at OPM, indicate that something as simple as social engineering can open up organizations to massive data breaches.
Perhaps we can posit that people are not really to blame for all of these data breaches. Perhaps organizations are to blame for not putting in the controls, processes and policies that would take into effect the complex data environment and risk vectors that are putting data at risk from simple mistakes. Is it the employees fault that a lost device led to a data breach, or the organization’s fault for not putting in place processes and technologies that can identify an at-risk device, to remotely freeze it or wipe it or later prove that data remained protected (through these actions and/or encrypted protections)?
Organizations that create a culture of securing data, that implement ongoing awareness of data security risks coupled with policies and well-thought-out layers of protective and responsive technologies, are the ones that can say: “Yes, we trust our employees, but we also know mistakes happen. We’re prepared.” Absolute DDS can help your organization remain in control of data on the multiple devices employees use, whether they are off the network or in the hands of an unauthorized user. Learn more at Absolute.com