Do Your Employees Take Data Security Seriously?
In a post-9/11 world, we're frequently reminded that we are all responsible for security. IT managers are still struggling with ways to get everyone in their organizations to take data security seriously.
With a number of companies allowing — even encouraging — their workers to use their personal devices to access corporate information, the job of data cop is getting tougher.
Avira, a data security software vendor, recently surveyed its users, finding 38.95 percent of respondents saying they adhere to workplace security policies. Almost as many people, 35.42 percent, admitted there are security policies in place at their companies, but didn't feel that anyone cared if those policies were followed.
The remainder, 25.63 percent, said they view security as a system administrator's responsibility rather than an employee concern.
Why is it so hard to get employees to comply with security measures?
"In general, it is quite hard to make people comply with something which they don't understand," said Sorin Mustaca, data security expert for Avira. "Most people wouldn't understand something like 'create a good password because someone might break into your account and steal your data' because they can't perceive this as a real theft. So, this is why I think that many people think that IT security doesn't really matter — they simply are unaware of the dangers and they ignore it."
"[Data security] advice is easy to give, but tough to implement," said Sean Glynn, vice president of marketing for CREDANT Technologies, a vendor of data protection technologies. "There is a natural tendency that when you're being told to do something, it is not well-accepted," he said.
With the bring-your-own-device phenomenon in full swing, Glynn suggested that all mobile devices being used to access corporate data be capable of having all of the data erased from them remotely. "It will also wipe out any of their personal information, such as bank statement and other financial records. But if you explain to employees how that can protect them personally as well, it makes sense to them."
Glynn's advice is to communicate early and often, with emails and even posters around the office. "Don't just tell them that they have to protect their data, but tell them why," he said. "Regularly email all employees about security issues and highlight success stories. There is also a trust factor with your clients. Your salespeople, for example, are focused on selling. Let them know that they can use your company's security measures as a selling tool to let clients know you take protecting their information seriously. If they see how it will benefit them, they're more likely to do it."
Learning how to address workers is the most complicated facet of data security, since most IT professionals are concentrating on improving their technical skills instead of their communication skills, industry observers said. "In general, giving demonstrations and offering hands-on training are two good ways to ensure that employees take security seriously," said Avira's Mustaca.
While it is tempting to duck into a Starbucks to check your email or use the free public Wi-Fi to log on to the corporate network to check on a client's order while you're waiting at the airport, employees need especially diligent when accessing corporate information from these spots. "These are really hot spots for cybercriminals," said Mark Patton, general manager for the Security Business Unit at GFI Software. GFI Software provides Web and mail security, archiving, backup and fax, networking and security software and hosted IT solutions for small- and medium-size businesses.
If a user does sign on using public Wi-Fi, they should have limited access to corporate data. "They shouldn't have access to shared folders on the network, for example," said Jong Purisima, AVLab manager at GFI Software. "They should also be educated that they shouldn't use their corporate emails for personal use, for things such as Amazon, online banking and the DMV," he said.
All users should be aware that lax security poses a risk to the company's reputation. "The message has to come from the top — the CEO, CFO and officers of the company," said David Roath, partner for IT and project assurance at PricewaterhouseCoopers, a consulting firm. "Then everyone has to have a say in how it is implemented. IT has to work with business, financial, operations, vendors and everyone to identify the threats and vulnerabilities and ensure that the proper framework is in place."
While you can work diligently to communicate the importance of security, Roath said it is also crucial to let employees know how to respond to a breach and possibly some tests. "They need to know who to call and when and how to elevate an incident," he said. "You have to build in resilience so that if there is a breach, it doesn't necessarily have to take you down if you respond quickly and efficiently."