Who’s using your data? Why your security strategy must consider the human factor

Imade credit: iStockphoto/LeoWolfert

Developing a strong IT security strategy requires businesses today to cover a lot of bases. While there are now a wide range of threats that need to be addressed, ranging from ransomware and DDoS attacks to Advanced Persistent Threats, businesses also need to take into account human elements, as in the majority of breaches, at least part of the blame can be traced back to someone within the business.

One of the most common challenges for businesses is ensuring their staff do not fall victim to social engineering tactics such as spear phishing. Teaching your workforce to recognise the signs of a potential scammer, not clicking on unknown links and not choosing easily-guessed or repeated passwords are among the very first steps companies need to take when it comes to securing their systems.

Starting from the top

However, it seems that despite repeated warnings, the message is still not getting through to some users. And troublingly, even senior staff members are engaging in risky behaviour that could leave a business’ most sensitive data exposed. The actions of people at board level often set the tone for the company as a whole, so it's especially important that these personnel are following best practice.

Even chief executive officers (CEOs) are frequently putting their companies at risk, according to Code42's 2018 Data Exposure Report. For example, the study found that 93 per cent of CEOs admit to keeping copies of their work on personal devices such as smartphones and laptops that are outside the protections of a business' defences.

However, despite this, nearly four-fifths of CEOs (78 per cent) say that data such as intellectual property is the most precious asset their company possesses, which suggests they are unaware of the risks in this behaviour or the damage that could be done if their personal devices are compromised.

What's more, almost two-thirds of CEOs (63 per cent) admit to clicking on links they shouldn't have, which leaves the company vulnerable to malware. Some 59 per cent also acknowledge downloading software before finding out whether or not it has been approved by their security department. 

Jadee Hanson, Code42’s chief information security officer, commented: "It's clear that even the best-intentioned data security policies are no match for human nature. Understanding how emotional forces drive risky behavior is a step in the right direction, as is recognising 'disconnects' within the organization that create data security vulnerabilities."

The disconnect between talk and actions

The research illustrates just how big a disconnect their is between what business leaders say about the importance of effective security and the reality of their actions. For example, while 77 per cent of CEOs recognise that their IT department would view their data handling as risky behaviour, they continue to do it anyway. This suggests they have misplaced confidence in their own activities or are not taking the threats seriously enough.

While four out of five chief information security officers (CISOs) agree with the maxim that "you cannot protect what you cannot see", this belief in not matched by business leaders. In fact, 82 per cent of these individuals think that it is possible to protect data that the IT team cannot see, which suggests that may be overestimating the capabilities of their defences.

Indeed, many IT leaders believe that, thanks to the rise of trends such as flexible working and increasing digitisation of information, there is more data than ever that could be unaccounted for with traditional ways of working. Almost three-quarters of security pros (73 per cent) believe that some of their company's data exists only on endpoint devices that may be outside the scope of their protections.

What's more, as many as 71 per cent of security and IT leaders and 70 per cent of business leaders agree that losing all corporate data held on these endpoint devices would be seriously disruptive or even business-destroying.

Therefore, the importance of tackling the human factors that lead to employees being casual with how they use data and interact with technology cannot be underestimated. Even the most advanced technological solutions can't help if hackers can easily access data held on your CEO's unsecured personal device.

Rob Westervelt, research director for the security products group at IDC, said: "To protect an enterprise today, security teams need to have visibility to where data lives and moves, and who has access to it. Visibility is key in protecting an organization against both internal and external threats."