Understanding the human factor in security can be easier if consequences are understood.
Speaking on an SC Magazine webcast, Stephanie Damon, CEO of the Cyber Security Challenge, said that it takes a while for corporate consequences to kick in if a device or data is lost, as it depends on who the consequence falls upon.
“This is to do with awareness and getting people to understand that when they do lose corporate data, it does have a very serious consequence,” she said.
In agreement, Pamal Sharma, head of IT at Fujifilm, said that it was a case of relating what you are handling and said that consequences was a good word. “I think people need to relate to what they are dealing with; the danger here is that people get very used to what they are dealing with,” he said.
“An example is when in a previous job someone left HR data on my desk that contained details on salaries and she previously worked in a bank and it wasn't a big deal. Just being able to relate to the data and understanding the consequences of divulging that are and we've heard about statements being left outside in a bin liner, and there the consequences are for the individual who owns that data.”
Asked what can be done to change perceptions, Sharma said that a company could get people to relate to the data if they were the ones who lost it and relate it to any potential bonuses – if the data loss caused consequences to the company in relation to fines, reputation, new customers and the downward spiral effect.
Sharma said: “These are the things you need to pick up as an individual to what they do every day, and that makes you more tuned to how they need to behave with other people's information.”
Damon said she agreed with this concept, and relating it to what people are doing can be very difficult, as there can be a ‘glaze' that comes over people when they go to security briefings.
“Telling them what they must and must not do is a real issue, she said.
“I once saw a whole room come alive because we managed to relate the issues of the business to what they were doing on a day-to-day basis and it was around ‘if you don't do this properly you may lose your customer's data' and then you have to ring and tell your customers that you've lost their data and like a lightbulb, you could see why it was important.
“So relating it to what they do on a day-to-day basis is the key thing, rather than providing just a series of do's and don'ts.”
Sharma also said that often staff were trying to do the company a favour, and often the internal threat is more of a challenge than the external, but he was reluctant to call it an ‘internal threat'.
Damon also said that a lot of companies had taken time to realise that it was their information that they were trying to protect, and that IT was a tool to do that.