With all the scare talk surrounding information security (InfoSEC), businesses are quick to invest in expensive technologies to safeguard their data. We aren’t insinuating that this is a bad thing. Today’s wayward cyber environment certainly warrants it. But there is something wrong with immediately and exclusively relying on technology to protect your organization. For one thing, it’s incredibly expensive. But look beyond the hard cost involved, and you’ll discover that CIOs and CISOs are missing a major link that could lower their security “soft costs.”
Yes, the scope of technology is ever-expanding. But at the most fundamental level, we’re still dealing with devices, data, and protocols that must be carried out by your employees, which means smart people are still your organization’s greatest asset. Without them, no amount of security technology will prevent a potentially grave error. Care to guess what is the biggest cause of data breaches?
Despite a vibrant and growing population of cyber miscreants, employees are to blame for more data breaches than technology errors (52 percent to 48 percent, respectively). As for the damages—there’s no way to put a price on a demolished reputation, but IBM and Ponemon released a study that claims the average cost of a data breach is about $3.79 million.
Experts suggest that instead of jumping right into expensive investments, organizations first need to build a foundation that supports security technology. That is, organizations need to develop greater security-based internal protocols and properly train employees on how to perform their job duties to reduce security mistakes.
Creating a Culture of Security
One way organizations are accomplishing this by creating a “culture of security.” A culture of security is a type of company culture that places information and network security at the top of everyone’s priority list. In a culture of security, CIOs and CSOs are vital components to the success of the organization, and organizations recognize that security is done wrong is exponentially more costly than security done right.
Therefore, employees and information technology professionals are committed to creating and following security protocols and view adherence as an ethical obligation. Employees not only understand the purpose and importance of specific protocols but also possess an advanced awareness of how their actions play a part in the overall protection of their organization. They are trained to access correctly and utilize data, but they also know how to identify and report issues. As a result, security-related ignorance that once increased your organization’s risk of a security breach (and financial repercussions) is dissolved.
How to Make the Shift
An organizational shift to a security culture isn’t easy. Contrary to what some believe, it takes more than a written policy outlining security responsibilities and expectations. Company leaders must make security violations socially and morally unacceptable. This is achievable by marketing the importance of security and making it a regular topic of conversation. But you can’t expect employees to grasp magically the universal concept of your organization’s security overnight. Educate employees, not just about how security is important to the organization, but how it affects their role within the company. Provide employees with the tools, scripts and processes they need to access correctly and utilize data. Consider gamifying your organization’s security initiatives to inspire healthy competition. For example, offer rewards for catching a security threat. And encourage employees to ask questions about how different components of the infrastructure work and why specific measures are in place.
Remember, the cost of security ignorance among your employees could be millions. Before you invest in the latest security technologies, invest in your people.
An employee who understands the value of data, the basics of how that data is protected, and what vulnerabilities exist therein will increase the value of your technological investments and decrease the financial risks of a data breach. But for this degree of security intelligence to take hold, your organization must be willing to rethink their protocols, and, more importantly, train employees to understand how and why they exist.
About the Author
Lauren is a Principal at Schellman with over 10 years of attestation and compliance experience. Lauren has evaluated risks and controls for a number of industries including financial services, manufacturing, marketing, distribution and service-based organizations.More Content by Lauren Edmonds