Why a company's greatest vulnerability is its people
While Snowden, high-profile data breaches and hacking dominate the headlines, the more pernicious risk to business continues to be simple human error, says Tony Pepper.
Cyber-security has never before been such a popular – or infamous – topic. Its move into mainstream consciousness can be traced to the Snowden revelations in 2013 exposing the extent of international government data surveillance and interception. Since then, there has been a surge in high-profile data breaches and hacking stories being reported in the media. From celebrities like Jennifer Lawrence to large organisations such as Sony, nothing seems sacred in the world of data theft, with private photos and confidential email content being splashed across news pages.
There is no doubt about it: cyber security and encryption have caught the public's attention. One of 2014's biggest films was The Imitation Game – based on a WWII code breaker. Cyber-security has been on the global agenda for quite some time, but recently we have also seen some of the world's most powerful leaders, such as President Obama (and to a lesser extent David Cameron) locking heads over the future of encryption.
Yet whilst sophisticated cyber-attacks on an organisation's network grab the headlines, the most pertinent risk to business is a lot more mundane. Statistics from the Information Commissioner's Office (ICO) demonstrate that 93 percent of data breaches are actually caused by human error. In light of this fact, companies need to resist the temptation to follow the headlines and instead focus on the reality of the biggest threat facing them: human error.
A most common threat
A significant factor driving this issue forward has been changes in the way IT services are consumed. The rise of BYOD and cloud, for example, have altered the way people use technology and handle data. Sensitive information is being replicated across different, and sometimes personal, devices – often without comprehensive information security policies and systems in place. As a result, organisations are becoming increasingly vulnerable to data breaches from inside their own networks.
These internal breaches are, more often than not, totally unintentional. For instance, how many of us have sent information via email to the wrong recipient by mistake? Or sending information to the wrong fax number or postal address, losing an unencrypted endpoint device, or accidentally uploading the wrong file to a publically available website – it's so easily done.
Added to this is the fact that many users are simply bypassing security in favour of convenience. Security is seen as an enemy of productivity – often because people believe data protection tools, encryption in particular, is complex and time-consuming. This misconception, and a lack of appropriate tools, can lead people to take a risk with data.
Optimising the enterprises defences
To mitigate the growing internal risk, organisations must consider new approaches to protect the sensitive information that they handle and share. I would suggest taking the following approach to help mitigate the risks:
- Adapt and keep pace with mainstream technology: End-users now expect to be able to seamlessly consume a mix of cloud-based and on-premise services and applications as part of their daily working lives. Data security solutions must ensure they are part of that seamless end-user experience, which means technology should be developed with simple integration and unified identity management in mind, be that using Active Directory Federation Services (ADFS) or industry standard protocols, such as SAML2.
- Educate employees: Data protection should remain a constant item on employee training agendas, helping staff to understand the ways in which errors occur and developing procedures to mitigate risk – for example, using secure email to send a document rather than fax.
- Limit damage: Decision-makers must also recognise that, despite best efforts to the contrary, mistakes will happen and enterprises still need robust data protection measures. The flow of data in and out of an organisation should be monitored to understand what sensitive information individuals and departments are sharing, how they're sharing it and who they're sharing it with. With this information available, companies can implement necessary and informed data protection measures effectively throughout an organisation, meaning everyone who needs to access encryption technology can do so. In addition, the ability to enforce policy scanning and encryption at the gateway means that technology can catch mistakes that humans inevitably miss.
- Tool up: In order to communicate securely and effectively organisations need access to integrated encryption services. Email, for example, will not always be the most-suitable solution for sharing information. What happens when employees need to send confidential information by large file transfer? What happens when they need to collaborate with individuals in other organisations on sensitive projects? The solutions put in place should entirely suit an organisation's data sharing requirements and, where possible, offer similar user experiences and functionality, as well as integrate with one another.
Ultimately, it is not about prioritising external ahead of internal cyber-security threats. It is about being aware of both and applying sensible technology-driven steps to mitigate risk to both the organisation and its employees.
Contributed by Tony Pepper, CEO of Egress.