Security Think Tank: Create a data security culture to keep data safe

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.computerweekly.com/opinion/Security-Think-Tank-Create-a-data-security-culture-to-keep-data-safe
How should businesses go about setting up and maintaining a comprehensive
and accurate inventory of personal data?

Successful efforts must start with culture. Data handling and storage
<http://www.computerweekly.com/news/4500254436/Employee-use-of-cloud-storage-puts-UK-business-data-at-risk>
is something common to more or less every employee, so top down and siloed
attempts to catalogue and control data will inevitably fail, if culture is
ignored.

Imagine you are in a different time and a different industry, which is
generating the white heat of progress and offering the promise of a better
future. It is 1956, and you have just taken on responsibility for handling
radioactive material at Calder Hall, Britain’s biggest nuclear plant. The
atom represents the high-tech, cheap-energy future.

Sadly, there have been so many projects and deadlines that the organisation
has given up keeping track of how every last piece of radioactive material
is handled. Surely to track it all would be impossible anyway?

In either case, most of the “legacy” is kept in a huge man-made lake
outside. Nobody really knows what is in there. Those who do flag the
hazards and suggest protections are routinely ignored or worse.

Enter your “comprehensive enterprise programme”. You’ve bought checklists
with hundreds of predefined handling policies from outside experts. You’ve
created a small team of dedicated personnel to audit and track every action
for every employee on-site.

The problem is that the small team you have budgeted for can’t cover every
risky activity on-site. Few of the productive processes at Calder Hall are
similar to those in the checklists you have bought.

Every time a new project is spun up, the demands on the central cataloguing
team become more onerous and less realistic. The word is out that the
fissile material management team is just a power grab, which is ultimately
stopping people from doing their jobs. The risks people are taking to get
around the auditors are more dangerous than ever before.

The above analogy is stretched, but the message is clear. The benefits of
the nuclear material are obvious, but the individuals who make up the
organisation have not yet woken up to the terrifying risks. In 1956, the
worst nuclear accident in British history was only a year away.

Help the individuals in your organisation understand the risks of holding
data
<http://www.computerweekly.com/news/2240241853/How-to-ensure-your-hot-desking-colleagues-keep-their-data-secure>
so that keeping track and applying appropriate protections becomes
intuitive and common sense:

   - Every organisation is different. Make sure you have thought out and
   documented clearly the broad classifications of data your organisation will
   handle.
   - Invest in awareness training for every employee on the potential
   effects of the data
   
<http://www.computerweekly.com/news/4500250569/Study-shows-UK-workers-fail-to-understand-data-value-putting-firms-at-risk>
   they handle being leaked, damaged or lost. Track success with
   questionnaires to measure how well policy is understood.
   - Hold less data. If you don’t need to collect, hold or handle certain
   data, then don’t. Consider the risks and associated costs of holding data,
   as well as the benefits.
   - Be clear what the appropriate protections are for each classification
   of data
   <http://www.computerweekly.com/news/4500256309/Lack-of-data-classification-very-costly-to-firms-says-survey>,
   whether at rest, in transit or on a user’s endpoint device. Gather
   structured, periodic feedback from a sample of employees and systems to
   measure success.
   - Provide easy-to-access and simple tools
   <http://searchbusinessanalytics.techtarget.com/opinion/Data-analysis-tools-dont-create-data-driven-culture>
   employees can use to classify and protect data if they are unsure. Gather
   feedback on usability and track usage of such tools.
   - Call on established leaders’ help to support a culture of shared
   responsibility for tracking and monitoring personal data.
   - Take pushback as an opportunity to promote and clarify values, policy
   and expected behaviour. Explain why. People don’t like change or extra
   responsibility. Cultural change is always hard.
   - Hold every individual in the organisation responsible for tracking and
   protecting data
   <http://www.computerweekly.com/news/2240213483/Data-security-is-not-their-responsibility-say-23-of-employees>
   in the manner appropriate to their role. Periodically review with a sample
   of employees to ensure responsibilities are understood and acted on.

The risk of identity theft, fraud and misuse of personal data
<http://www.computerweekly.com/news/2240215535/Identity-theft-linked-to-60-UK-fraud-in-2013>
has never been greater. However, any centralised effort to catalogue and
control data is bound to fail without a data protection culture
<http://searchbusinessanalytics.techtarget.com/feature/How-to-develop-a-data-driven-culture>
.

Don’t contain your creative employees in a poorly fitting control system
they don’t understand. They will rebel against and circumvent it, and you
might lose them. No quantity of externally imposed audit and process will
fill the gap alone.
Only by starting with values and behaviour can an organisation hope to
properly track and control the material it is responsible for.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!