BreachExchange mailing list archives
What Drives People to Maintain Information Security
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 2 Oct 2013 01:05:18 -0600
http://www.datacenterjournal.com/it/drives-people-protect-information-security/ We’ve all heard statistics about how the information being created and stored is growing at an exponential rate. Many now regularly measure database sizes in petabytes—and the growth is not slowing. In a recent article, Gartner analysts predict that enterprise data will grow by 800 percent over the next five years and that 80 percent or more of that new data will be unstructured. Unstructured data is the most difficult to protect as it can take many forms, such as documents, videos, spreadsheets and other content that workers create. Organizations are centralizing information storage to promote better collaboration, but for many the concept of having all their data “eggs” in one basket raises new security concerns. We also know that much of the information organizations create, gather and use is considered sensitive. Yet despite being bombarded with messages from governments, NGOs, consumers, vendors and the media that sensitive information must be properly governed, many of the individuals who have access to and responsibility for this information usually treat its security as an afterthought. Why is that? With all the statistics and talk about the amount of information we’re generating, the increased security risk of pooling all this information in a central repository and the serious damage a data leak can cause, why is its security not top of mind? On the basis of my experience in the security industry working with many large organizations around the world and with many individuals who own content (or are responsible for content), I have developed a theory. People only feel compelled to secure information when all of the following apply: They have a personal connection to it They truly understand the risk that exposure of the information poses The impact of such an exposure affects them directly Data users rarely secure information because it’s the right thing to do. Although there are exceptions, in general people choose to treat data securely because it protects them, rather than doing it for the good of the organization. This isn’t a pessimistic view; it’s just natural human behavior…at least it is today. Successful security requires that the end user is properly motivated. To that end, we need to examine why organizations are securing data and how to make sure the people in the organization understand why it is to their benefit to ensure that security measures are followed. So what drives people to secure information? Reducing Liability and Protecting Investment In many industries, the exposure of sensitive corporate information can have very negative business impacts. Risks can include Compliance violations that result in heavy fines Sanctions and legally imposed restrictions on business Loss of business reputation (bad PR can lead to lost stock value, lost customers, lost market share and so on) Loss or theft of intellectual property Since a business owner or a C-level executive looks at the business as a whole and is tasked (and financially rewarded) with ensuring its success, senior managers are better positioned to understand the risks. They are also more invested in the consequences of a breach, as it is they who must face the fines, lawsuits and an angry board of directors. They are also the staff with the most to gain since performance bonuses are often tied to profits. Yet, corporate security measures often fail because the average employee is not as concerned about—or even aware of—these risks to the business. Depending on the employee, they very likely don’t even know what information is sensitive or understand how the loss of these items can affect the organization. Unless you both provide a clear way to identify what information is sensitive and effectively motivate employees to secure the data they manage, their ability (and desire) to help protect against data loss will be limited. Exceptions and the Seeds of Change In recent years there has been an overall increase in attention paid to security. In industries where the public good is at risk, we find that average workers are beginning to connect to the data they handle. In government agencies, for example, public safety and mission success can be greatly affected if data is leaked. For national-defense departments, internal security agencies (such as the U.S. Department of Homeland Security) and other government departments, the personnel that deal with the data involved are typically well trained in how to handle this type of sensitive information. Additionally, people often go into these areas of work because they have a desire to serve the public or protect the public’s safety. Another area where you find the average worker making a strong connection to their data is in health care. Unlike organizations that must protect personal identifying or financial information, workers at hospitals, insurance companies and government agencies are finding motivation to protect data beyond just bad press, fines or profit loss. A stolen health identity can have tremendously negative impact on an individual’s safety. Consider that a health identity is used by an imposter who is otherwise without health insurance. Although this situation can be categorized as a kind of financial theft, more seriously the person illegally using the health identity can cause data in the victim’s health record to be modified. For example, if the impostor is blood type A, then that data could be applied to the original health record. If the actual insured individual needs an emergency blood transfusion but is type B-negative, his or her health is at risk. In these cases, typically both the senior administrators and the employees are aware of the very serious consequences a data breach can have. So What Can Be Done to Ensure Information Is Secure? In most organizations, average individuals tend to feel a true need to secure information when they have a personal connection to it, when they truly understand the consequences of exposure or when the impact of such an exposure can affect them directly. The ideal situation in any organization would be to have each and every individual truly care about securely handling sensitive information. The best way to create a security mindset is to overtly involve all employees in the organization’s security strategy. This approach starts with education to convey what information is sensitive and how it should be handled. Employees also must be aware of the very real and very negative impacts of information exposure, both to the business and to them personally. In addition, openly discussing security policy and asking for best-practice feedback from employees will help foster feelings of ownership and responsibility. Once employees have been educated and become involved in the security process, organizations need to overtly foster accountability. This accountability can be in the form of check-out procedures for highly sensitive documents or by stamping the employees’ names on all documents they access so if it is handled carelessly, it can easily be tracked back to them. Despite all the tremendous effort and work that has gone into developing some excellent security technologies, they unfortunately are not 100% effective in keeping data secure. Employees’ willingness and ability to enforce secure-information governance procedures is vital to helping organizations defend against both inadvertent and malicious exposure of sensitive information.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- What Drives People to Maintain Information Security Audrey McNeil (Oct 10)