How to build a culture of data security
Even the most security conscious organisations can have holes in their cybersecurity defences. This was highlighted by the recent incident when an unencrypted USB stick containing confidential data from Heathrow airport was found by a member of the public. How the device came to be lying in the street is not yet known. Whether it was the result of an attack or human error, the incident serves as a reminder that people remain the weakest link when it comes to data security.
Cybercriminals are acutely aware of this fact. So are businesses: 44 per cent of IT decision makers in the UK expect that employees will lose data and expose their organisation to the risk of a data breach, according to a survey by Apricorn.
Many breaches are not caused by external actors, but by well-intentioned employees attempting to work more productively and efficiently by, for instance, using a cloud service or saving a document to a memory stick to work on offsite.
Few employees within the defence sector will be unaware of the importance of data security. They may not be fully aware, however, of the risks or compliance requirements affecting their organisation, or their specific role in protecting data. If people are left to their own devices even the best tools and processes will fail to prevent a breach.
Limiting access to ‘risky’ technologies and applications is not the answer. Instead, the business should be focused on security from top to bottom – and that means implementing and sustaining a culture that is designed to ensure accountability and compliance across the whole organisation.
A comprehensive security review
The starting point should be a detailed understanding of the current security posture. Conduct a data audit to gain visibility of what data you hold, where it flows and what security controls are applied to it. Review your existing security processes to identify ‘gaps’ and areas which need addressing.
From there, introduce changes to existing security policies and develop new ones as necessary. These should be clearly defined, written down, shared across the organisation and pushed out to all endpoints.
Policies that help to drive and reinforce a culture of security might include rules on the length and complexity of passwords, for example. They should not be difficult to grasp or to follow; this is when people turn to non-sanctioned tools, services, devices and behaviour.
Secure data on the move
Consider how data is protected when it is transferred or taken outside the organisation or its central systems. The Apricorn survey found that 29% of organisations have suffered a data breach or loss as a direct result of mobile working, and 44% expect mobile workers to expose the business to data breaches.
To effectively manage the risks, establish and enforce security policies and procedures that cover all types of removable media, mobile devices and flexible working.
Tools: keep it straightforward
Equip employees with advanced security technologies that are also hassle-free: if they’re too difficult to use people might look for an alternative tool.
Tools should include a mandated mobile storage device featuring strong encryption. Their use can be enforced through policies such as locking down USB ports so they can accept only corporately approved, FIPS certified, hardware encrypted devices.
All employees must be given full training on how to use the technologies implemented, including the secure use of their mobile and removable devices.
User engagement and training
Run training programmes that educate all users in the risks and threats to the business, their responsibilities in preventing breaches, and the procedures they must follow. Alongside reducing negligence, this will increase engagement and accountability.
Lead from the front
An organisation’s leadership will shape its culture and values. Executive and management teams should play an active part in developing and executing a comprehensive security strategy that protects the entire business. In addition to encouraging employees to integrate secure practices every day, leaders must demonstrate that they’re doing the same.
Leaders should also work to open up lines of communication, getting different departments to collaborate to determine and execute shared data security priorities and plans.
Once everything is in place, ensure systems are tested regularly – by outside experts if necessary – and adjusted to defend against evolving cyber threats.
Protecting information from loss or theft is the responsibility of every single employee, whatever their role. To strengthen the organ
isation’s resilience to both external and internal cyber threats, senior teams must embed security into everything people do by building a culture that values and is committed to data security.
Combining a standard level of education with user-friendly policies and procedures, data encryption and corporate approved tools will reduce the risk of a breach without compromising agility. This way, people can be turned from the organisation’s weakest security link into its strongest security asset.
Jon Fielding, Managing Director, EMEA Apricorn
If you would like to join our community and read more articles like this then please click here.