Who’s using your data? Why your security strategy must consider the human factor
Developing a strong IT security strategy requires businesses today to cover a lot of bases. While there are now a wide range of threats that need to be addressed, ranging from ransomware and DDoS attacks to Advanced Persistent Threats, businesses also need to take into account human elements, as in the majority of breaches, at least part of the blame can be traced back to someone within the business.
One of the most common challenges for businesses is ensuring their staff do not fall victim to social engineering tactics such as spear phishing. Teaching your workforce to recognise the signs of a potential scammer, not clicking on unknown links and not choosing easily-guessed or repeated passwords are among the very first steps companies need to take when it comes to securing their systems.
Starting from the top
However, it seems that despite repeated warnings, the message is still not getting through to some users. And troublingly, even senior staff members are engaging in risky behaviour that could leave a business’ most sensitive data exposed. The actions of people at board level often set the tone for the company as a whole, so it’s especially important that these personnel are following best practice.
Even chief executive officers (CEOs) are frequently putting their companies at risk, according to Code42’s 2018 Data Exposure Report. For example, the study found that 93 per cent of CEOs admit to keeping copies of their work on personal devices such as smartphones and laptops that are outside the protections of a business’ defences.
However, despite this, nearly four-fifths of CEOs (78 per cent) say that data such as intellectual property is the most precious asset their company possesses, which suggests they are unaware of the risks in this behaviour or the damage that could be done if their personal devices are compromised.
What’s more, almost two-thirds of CEOs (63 per cent) admit to clicking on links they shouldn’t have, which leaves the company vulnerable to malware. Some 59 per cent also acknowledge downloading software before finding out whether or not it has been approved by their security department.
Jadee Hanson, Code42’s chief information security officer, commented: “It’s clear that even the best-intentioned data security policies are no match for human nature. Understanding how emotional forces drive risky behavior is a step in the right direction, as is recognising ‘disconnects’ within the organization that create data security vulnerabilities.”
The disconnect between talk and actions
The research illustrates just how big a disconnect their is between what business leaders say about the importance of effective security and the reality of their actions. For example, while 77 per cent of CEOs recognise that their IT department would view their data handling as risky behaviour, they continue to do it anyway. This suggests they have misplaced confidence in their own activities or are not taking the threats seriously enough.
While four out of five chief information security officers (CISOs) agree with the maxim that “you cannot protect what you cannot see”, this belief in not matched by business leaders. In fact, 82 per cent of these individuals think that it is possible to protect data that the IT team cannot see, which suggests that may be overestimating the capabilities of their defences.
Indeed, many IT leaders believe that, thanks to the rise of trends such as flexible working and increasing digitisation of information, there is more data than ever that could be unaccounted for with traditional ways of working. Almost three-quarters of security pros (73 per cent) believe that some of their company’s data exists only on endpoint devices that may be outside the scope of their protections.
What’s more, as many as 71 per cent of security and IT leaders and 70 per cent of business leaders agree that losing all corporate data held on these endpoint devices would be seriously disruptive or even business-destroying.
Therefore, the importance of tackling the human factors that lead to employees being casual with how they use data and interact with technology cannot be underestimated. Even the most advanced technological solutions can’t help if hackers can easily access data held on your CEO’s unsecured personal device.
Rob Westervelt, research director for the security products group at IDC, said: “To protect an enterprise today, security teams need to have visibility to where data lives and moves, and who has access to it. Visibility is key in protecting an organization against both internal and external threats.”
Share This Post, Choose Your Platform!
With over 25 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.