Step aside, Wikileaks, HSBC and the Luxembourg tax files. At the beginning of April, the ‘Panama Papers' became the biggest data leak in history. 2.6TB of data was compromised as the result of a suspected email server hack—the largest reported breach of all time. Apart from the magnitude of the breach, the extremely sensitive nature of the information that was disclosed has left the compromised organisation, law firm Mossack Fonseca, in a precarious position.
For a company that is dependent on its ability to safeguard the financial details of its high-profile clientele, the brand damage and loss of customer faith following the attack will undoubtedly be devastating for the firm. But the consequences of a breach such as the Panama Papers are not limited to the victim of the attack. These incidents also contribute to a wider erosion of trust in the IT department—not only from a customer perspective, but also amongst employees.
Code42's 2016 Datastrophe Study shows that 25 percent of employees in the UK enterprise do not trust their IT teams with personal data—and in the current climate, it is difficult to blame them. Whilst the financial consequences of a data breach from a customer point of view are well-documented, a lack of trust internally can cause problems on a similar scale. After all, one of the core functions of the IT department is to make it as easy as possible for other areas of the business to operate their technology safely and effectively. Employee trust issues, however, seriously hamper IT's ability to deliver on this.
So how can IT repair this dysfunctional relationship and rebuild internal trust throughout the rest of the organisation?
Build a comprehensive endpoint security stack
It is no secret that the boundaries of data storage have become increasingly blurred over the last decade or so. Today, IT decision makers (ITDMs) believe that as much as 42 percent of corporate data is created and stored on endpoint devices. Of course, this only compounds the challenge that CIOs and CISOs face—they must safeguard data that is spread across the entire network, rather than that which is confined to the data centre.
This means that a single security tool rarely provides sufficient protection for the entire organisation. Truly comprehensive security should consist of a stack of solutions from vendors that are experts in their particular fields. For example: Anti-virus software to guard against malware and malicious software, endpoint backup and security to protect against ransomware and insider threats, and multi-factor authentication for adding an extra layer of defence to user accounts.
Once you have a security stack in place, the next step is to make sure other departments within the company are aware of the measures you have implemented. Even if they do not understand the technicalities, just knowing that company data is protected will make employees feel more comfortable entrusting IT with personal files.
Put clear policies in place
Does your organisation have a clear infosec policy in place? As an ITDM myself, I would guess your response to this questions would be ‘yes', and this is only natural—infosec is an important aspect of your role, and is bound to be at the forefront of your mind. More importantly, the follow-up questions you ask shed light on how clear your policy really is:
A) When was the last time you updated your policy?
B) If I asked a member of another department this question, what would they say?
A strong infosec policy is the result of ongoing conversations, rather than a single training session. To keep security on the radar of end-users, it is a good idea to use new application roll-outs and software updates to remind employees about best practice—especially with regards to the use of their endpoint devices.
To make sure these conversations are well received, ensure they are aligned with the priorities of other departments. Whilst nobody wants to get hacked, if you can relate your infosec policy to productivity and give real-life examples, you stand a much higher chance of success. Remind users that the temporary hassle of complying with a policy is nothing compared to the disruption that a data breach could cause.
Build inter-departmental relationships
Understanding and acknowledging the priorities of end-users is important not only for communicating infosec policy, but also fostering positive relationships with other departments in general. Although it can be frustrating if employees demonstrate a lack of interest or awareness in security measures, allowing this annoyance to become evident or behaving in a condescending manner towards them only exacerbates the problem.
Negative behaviour simply fosters an ‘us vs them' mentality, but you can work to change this adversarial relationship by opening a dialogue with other departments before things go wrong. This is effective because if you make users feel that you appreciate their good intentions, they are more likely to try and comply with your policies. Adopting a positive attitude is not rocket science, but in conjunction with effective tools, consistent communication and clear policies, it will pay huge dividends for restoring faith in the IT department.
Contributed by Rick Orloff, chief security officer, Code42