Changing the Security Culture within an organisation
How to be forearmed against an internal data breach.
Article by Martin Sugden of HANDD Business Solutions Partner Boldon James, June 2015.
Hindsight can be a wonderful thing, but when it comes to data security and potential breaches, it’s best to ensure that your security policies and tools are able to protect your organisation. Yet, despite the regular headlines caused by high-profile data breaches, many organisations still do not know how best to react once breached or, indeed, follow best practice to prevent a breach from happening in the first instance.
New research conducted by Bloor Research, in conjunction with Boldon James, highlighted data security as a critical or serious concern for most organisations surveyed, with data classification recognised as a foundational tool for ensuring data security. But whilst organisations may have the best intentions, some are still missing a trick and suffering with potentially-costly data breaches that not only impact on revenue (particularly with the impending European General Data Protection Directive set to come into effect shortly) but also their reputation within the industry and customer base.
So what measures should organisations look to implement, both in advance of, or after, a breach to ensure they have effective information governance strategies in place?
Don’t spend, spend, spend on any old security tool
Imagine the worst has happened and your organisation has suffered a data breach because a highly sensitive document was shared with a third party instead of a colleague. What do you do? Our research revealed that the most common reaction following a data breach (accounting for 86% of respondents) is to pump money into purchasing new data security tools and attempt to tighten security policies, assuming this will diminish the risk of future breaches.
This poses the question of which tools do you actually need? Is it a firewall, a Data Loss Prevention (DLP) solution, a Network Access Control (NAC) device, Security Information and Event Monitoring (SIEM) solution? All of the above? Organisations are faced with lots of options on new and next generation tools to purchase, but before they can make a choice they must also decide what it is they need to protect and how they are going to solve the overarching problem of understanding the value of the data to the business – if you don’t know what your data is, how can you decide how to protect it?
Many analysts including Forrester and Gartner now recommend that organisations adopt a data-centric security strategy. This means deploying tools that ensure the security afforded to an email or document (or any data within the corporate network) travels with that data throughout its lifecycle to inform any and all security decisions. Organisations can no longer just set up security policies and permissions that end at the network perimeter. With an increase in the ways data is shared and also the devices on which data is held in the workplace, data needs to be stored and communicated carefully and correctly to minimise the risk of a data breach, particularly with the advent of the BYOD and CYOD trends within businesses.
Include the users; don’t hide data security from them
One of the biggest assets organisations already have when implementing new security arrangements is often the one neglected from the beginning – the users. Historically, anything to do with IT Security was kept away from users by IT teams concerned that it was either too complex, too disruptive or required specialist skills to execute. However, this mind set needs to change and is changing – in reality, users are already on the frontline of data security, as they are the ones creating and handling the data and therefore are best placed to understand its value to the business. Our research revealed that 60.5% of organisations focus on increasing user awareness and training following a breach, which is a positive sign. Including users expands the reach of IT security across the entire business and gets users proactively thinking about how to protect information and prevent a breach.
Such was the case with Allianz Ireland who implemented a user-driven data classification solution into their organisation in order to protect sensitive and valuable information assets and distinguish between the different types of data used by their organisation. The solution forced users to select a classification value before a document could be shared or an email sent. Within several months, they not only saw a 60% improvement in employee awareness of data security practices, but also found a significant reduction (89%) in breaches.
Changing the culture and perception of security
In order to make a real impact within an organisation, either before or after a data breach, there must be a change not only in the data security tools and policies, but a change in the security culture within the entire business. Implementing a data-centric security approach, driven by users’ knowledge of the value of the data can deliver tangible business benefits and reduce the risk of a data leak.
About HANDD
Founded in 2006 and now with offices across the globe, HANDD Business Solutions are integrators and thought leaders embracing the strap line ‘Securing the journey of your data’. Operating in a niche sector of the I.T Security market, HANDD exists to deliver Data Security and Managed File Transfer solutions to a global client base including some of the biggest brands and companies in the world.
For more information on our products, or to discuss your Data Security project requirements, contact HANDD Business Solutions on 0845 6434063 or email sales@handd.co.uk.