The people problem: How to manage the human factor to shore up security

Data security has never before featured so highly on the boardroom agenda, mostly thanks to a continued avalanche of major breach incidents says Tony Pepper.

Tony Pepper, CEO, Egress Software Technologies
Tony Pepper, CEO, Egress Software Technologies

With the coming European General Data Protection Regulation (GDPR) set to impose punitive fines on those failing to address glaring security holes, it's perhaps no surprise this has finally got C-level attention. However, are firms targeting information security investment in the right areas?  While shoring up your network defences against an external cyber-threat is to be welcomed, organisations risk ignoring a much more pressing problem: human error.

Addressing the ‘accidental' insider threat won't just take seamlessly integrated, user-friendly security. It will also require an in-depth knowledge of the sensitivity of the data handled by your employees, leading to clear policies and processes that leave no room for ambiguity and mistakes.

Taking a horse to water

There should be no security professional working in the industry today who doesn't understand the implications of a serious data breach. Aside from the cost of remediation and clean-up, there are potential industry fines, legal fees, and damage to the share price and brand reputation that can have a far more serious impact. TalkTalk admitted in February that a security incident late last year that affected relatively few records has so far cost the company £60 million and at least 100,000 lost customers.

However, high-profile media attention of cyber-attacks is shifting organisations' information security focus in a way that could leave them exposed to a data breach anyway. We recently asked 200 CIOs from firms of over 1,000 employees where they prioritise information security spending to protect customer data. Nearly half (49 percent) said they did so to keep external hackers out, with just 20 percent claiming their main focus was on accidental employee breaches. Yet a Freedom of Information request Egress filed with the Information Commissioner's Office found that 93 percent of breaches reported to the watchdog resulted from human error.

PwC's 2015 Information Security Breaches Survey revealed a similar pattern: 75 percent of large firms said they suffered staff-related breaches in the previous year, up from 58 percent. And 31 percent of small businesses said the same, up from 22 percent. What's more, 50 percent of the worst breaches in that period were caused by human error, up from 31 percent, according to the report.

From a technology perspective, IT security teams often face a “taking a horse to water” problem. Security tools must fit seamlessly into employees' working lives, otherwise they may find ways to bypass those measures. For example, if they need to urgently send an email attachment but new IT rules have added too many extra steps to the process for both sender and recipient, then they may be tempted to upload it to a file sharing site, like Dropbox, instead.

However, it's not just about the users. IT can often be as resistant to change as other departments. All too often, strategy and purchasing decisions are influenced by the notion that technologies involving end-users put too big a strain on IT. The biggest concerns among CIOs we spoke to about deploying encrypted communications were helpdesk calls, complex integration and disruption to processes.

The truth is that as long as IT teams are preoccupied with these concerns there'll be little appetite to address the problem and start to reduce that all-important insider risk.

Technology, policy, process

So what's the solution? It's certainly not just a case of implementing a new security solution and hoping it works. Instead, it will require a much broader strategy combining technology and processes, founded on a better understanding of your data.

And that's where it begins: by understanding the data your users are creating, and monitoring its flow in and out of the organisation. By doing so, you can answer some key questions. How sensitive is it? Who has access to it? Who will be sharing it, how and with whom? With this information, IT leaders can then begin to craft data protection policies and implement technology with a better understanding of where to apply specific security controls, like encryption. It will also tell them which data types need additional layers of security – perhaps preventing users from emailing or printing data altogether.

Creating an audit trail is also essential to monitor what happens to data at each step in its journey. This makes it easier to isolate any data should it be involved in a specific security incident. Additionally, the Information Commissioner's Office is less likely to pursue regulatory action against firms using encryption software and comprehensive audit records will only help to support this.

Policy and process must be as clear and simple as possible, leaving no room for interpretation: for example, “always encrypt any customer financial data”. This will help protect your organisation's most valuable asset through its entire lifecycle. It also goes without saying that these policies need to be communicated to staff as part of a comprehensive education and awareness-raising process. Employees need to be told what the risks are, why it matters and the consequences to them if a breach occurs.

However, this also needs to be underpinned by smart technology. If, for example, an employee classifies a document as sensitive on creation – whether through their own decision or prompts from a DLP tool – then other technology should recognise and respect this choice. If a user then attaches the document to an email, encryption software should automatically protect the information to the necessary level without the user having to ‘re-apply' it. Used correctly, such technology will become an automatic way of doing business, and also provide a vital fall back if a user does forget policy and accidentally send a sensitive document out of the organisation unencrypted, for example.

Organisations have two years to address how they handle and process data before the EU GDPR comes into force. The regulation will address all aspects of the data lifecycle – not just when it's on your network and at threat from a hacker, but also when employees are simply carrying out their day-to-day tasks. With the repercussions of a breach only set to get higher thanks to the EU laws, there's never been a better time to start tackling this problem.

Contributed by Tony Pepper, CEO, Egress Software Technologies