NVTC is inviting members and industry leaders to serve as guest bloggers, sharing insights and information on trends or business issues relevant to other members. This week, David K. Shepherd of LMI shares six strategies for reducing loss from data breaches. Check out previous blogs from LMI on a business-driven approach to IT decision-making and three business-friendly strategies to increase the value of enterprise architecture.
It’s no secret that data breaches are on the rise. These security rifts cost U.S. organizations an average of $195 per protected personal data record lost or stolen, with total costs averaging more than $5.8 million per organization breached. What may be surprising is that well-intentioned employees could be putting your data at risk..
How? To meet deadlines and collaboration requirements, employees skirt security rules protecting confidential documents by using personal email addresses and free file sharing services. Focused on completing tasks, they are unaware of the risks.
MeriTalk research shows that nearly 50 percent of federal agency security breaches are caused by security noncompliance. Forrester data reveals that the top reason for breaches (36 percent of companies surveyed) is inadvertent use of data without clear knowledge of polices. The problem is exacerbated by the proliferation of mobile devices that connect to cellular and Wi-Fi networks and upload data to the cloud.
Why do users bypass security? They take these risks to complete tasks within tight deadlines. They recognize this isn’t the “right” way to share documents, but feel they have no other options. Common complaints:
“Due to mail server size limitations, I cannot send a large file to my client.”
“Neither my client nor my company has a file-sharing tool.”
Balancing data protection and productivity
Increasing the number of security rules will not decrease employee data losses. The following six recommendations can help organizations balance the need for data protection, policy clarity, and productivity.
1) Understand employee needs when setting security policies
Engage users so you understand their day-to-day work and why they bypass security. Anonymous surveys and best practice initiatives are helpful tools. Consider granting amnesty to ensure you fully understand the problem. If your employees are using Dropbox, Box, or Google Docs, they are saying they need better storage and collaboration tools.
2) Conduct consistent, regular staff training at all levels
PricewaterhouseCoopers research reveals that most businesses invest only up to $400 per employee per year on cybersecurity training. The big exception is financial institutions, which typically spend $2,500 per employee each year. Employee training must be ongoing and pervasive—not an annual ritual. It must also include executives who are more likely to have data on multiple devices.
3) Provide a secure, flexible, and easy-to-use file-sharing tool
Employees started using cloud storage because providers offered free services with easy-to-use interfaces. These companies also offer enterprise versions, which include customizable interfaces, meet government security standards, and may even be branded with your organizational identity. Nearly all providers offer trials.
4) Deal with mobility
Organizations need to update mobile device policies to address both organization- and employee-owned devices. Solutions need to protect organization data while meeting security and employee usability needs.
5) Invest in effective prevention
Be proactive. Prior to a damaging event, security budgets are slim. After a breach, organizations can’t spend money fast enough. An event’s root cause is often due to problems with an organization’s processes. Hastily spending money on new tools won’t necessarily fix the root cause.
6) Consider suggesting tools, even if you can’t endorse their use
If an organization can’t provide a file-sharing tool, consider suggesting employees use a particular service. Wouldn’t it be better to monitor a single service closely, rather than attempting to monitor them all? If a bad breach occurs, the organization could immediately inform users and take corrective actions.
Our pristine networks are vulnerable to dedicated employees who are trying to do great work and meet impossible deadlines. If we don’t provide secure, capable tools, they will find another way. We can continue to fight against them, or we can investigate their needs, accept the challenges, and work to meet those needs while still ensuring security.
David K. Shepherd is a senior consultant in LMI’s Systems Development Group and has 25 years of experience as an information technology (IT) service management and security professional. He has designed, developed, managed, and maintained enterprise quality websites and applications for federal clients. He also advises clients on IT infrastructure issues, effective use of tools and techniques, and security engineering. He can be reached at email@example.com.