Your Network Is Secure, But Are Employees Exposing Data? Six Strategies for Reducing Loss

By David Shepherd, LMI Consultant | Monday, November 10, 2014 | Cyber Security   

It’s no secret that data breaches are on the rise. These security rifts cost U.S. organizations an average of $195 per protected personal data record lost or stolen, with total costs averaging more than $5.8 million per organization breached. What may be surprising is that well-intentioned employees could be putting your data at risk.

How? To meet deadlines and collaboration requirements, employees skirt security rules protecting confidential documents by using personal email addresses and free file sharing services. Focused on completing tasks, they are unaware of the risks.
 
MeriTalk research shows that nearly 50 percent of federal agency security breaches are caused by security noncompliance. Forrester data reveals that the top reason for breaches (36 percent of companies surveyed) is inadvertent use of data without clear knowledge of polices. The problem is exacerbated by the proliferation of mobile devices that connect to cellular and Wi-Fi networks and upload data to the cloud.
 
Why do users bypass security? They take these risks to complete tasks within tight deadlines. They recognize this isn’t the “right” way to share documents, but feel they have no other options. Common complaints:
             
“Due to mail server size limitations, I cannot send a large file to my client.”
 
“Neither my client nor my company has a file-sharing tool.”

Balancing data protection and productivity

Increasing the number of security rules will not decrease employee data losses. The following six recommendations can help organizations balance the need for data protection, policy clarity, and productivity.
 
1) Understand employee needs when setting security policies
Engage users so you understand their day-to-day work and why they bypass security. Anonymous surveys and best practice initiatives are helpful tools. Consider granting amnesty to ensure you fully understand the problem. If your employees are using Dropbox, Box, or Google Docs, they are saying they need better storage and collaboration tools.
 
2) Conduct consistent, regular staff training at all levels
PricewaterhouseCoopers research reveals that most businesses invest only up to $400 per employee per year on cybersecurity training. The big exception is financial institutions, which typically spend $2,500 per employee each year. Employee training must be ongoing and pervasive—not an annual ritual. It must also include executives who are more likely to have data on multiple devices.
 
3) Provide a secure, flexible, and easy-to-use file-sharing tool
Employees started using cloud storage because providers offered free services with easy-to-use interfaces. These companies also offer enterprise versions, which include customizable interfaces, meet government security standards, and may even be branded with your organizational identity. Nearly all providers offer trials.
 
4) Deal with mobility
Organizations need to update mobile device policies to address both organization- and employee-owned devices. Solutions need to protect organization data while meeting security and employee usability needs.
 
5) Invest in effective prevention
Be proactive. Prior to a damaging event, security budgets are slim. After a breach, organizations can’t spend money fast enough. An event’s root cause is often due to problems with an organization’s processes. Hastily spending money on new tools won’t necessarily fix the root cause.
 
6) Consider suggesting tools, even if you can’t endorse their use
If an organization can’t provide a file-sharing tool, consider suggesting employees use a particular service. Wouldn’t it be better to monitor a single service closely, rather than attempting to monitor them all? If a bad breach occurs, the organization could immediately inform users and take corrective actions.
 
Our pristine networks are vulnerable to dedicated employees who are trying to do great work and meet impossible deadlines. If we don’t provide secure, capable tools, they will find another way. We can continue to fight against them, or we can investigate their needs, accept the challenges, and work to meet those needs while still ensuring security.

Bio

David K. Shepherd is a senior consultant in LMI’s Systems Development Group and has
25 years of experience as an information technology (IT) service management and security professional. He has designed, developed, managed, and maintained enterprise quality websites and applications for federal clients. He also advises clients on IT infrastructure issues, effective use of tools and techniques, and security engineering.


0 comment(s):




Post a Comment



CAPTCHA
Change the CAPTCHA codeSpeak the CAPTCHA code
 
Enter the characters above