You've set up the investment: a hardworking IT team, firewalls, anti-malware, sensitive file encryption and a protection policy that all staff has signed. Aware of your company's liability if personal information gets in the wrong hands, you know that security and good safeguards are a big deal, and you're determined for your organization to be confident protecting customer data. Unfortunately however, something in your plan isn't working: when an audit is performed, sensitive data is revealed as still being sent over insecure networks, and too many files are being left on open drives. When asked about the problem, your IT teams complains about employee habits, while business management has a hard time using the solutions in place. There’s been an increase in the news about password theft, and you’re concerned it’s only a matter of time before a hacker gets in. What's going on?
Welcome to one of the most common problems in security today: the utter disconnect between business, operations and technology. It’s a new spin on a longtime issue, a difficulty with what many organizational experts refer to as ’enterprise silos’ where business units within the same organization lack understanding and communications between departments. Unlike other office disconnects however, it’s a problem that carries much more risk: a disengaged security and operations team is downright dangerous for your business data.
In a world of increasing information leaks and data breaches, hackers continue to use what works best: phishing schemes, password thievery, and human error. Why break through wall, when they can convince employees to hand over access? Spear phishing schemes in particular continue to be the bane of security teams everywhere: all an attacker needs to do is convince the user an email link is from a legitimate source and bingo, they're in. It's a simple tactic, and it's scary in it's effectiveness: security experts Symantec saw increase of 55% spear phishing attacks in 2015, while the Better Business Bureau of Canada estimates a loss of 5.8 million in one year alone.
Unfortunately, while software systems with web traffic analysis can lower the risk, smart phishing schemes can still get in, which is why employee awareness is critical. Here, think behaviour modification, not policy signing: staff need ongoing training and communications, developing regular habits to quarantine first, trust later, and develop a high sense of scepticism before auto-clicking. Encrypting files and using secure networks should be the first thing on their mind when sending sensitive information, not an afterthought, becoming the norm through active practice. Staff needs to understand that security tools are not optional: they are requirements of the job, and when new cyber threats are targeting your industry, everyone should be on the lookout.
While staff security awareness is part of the puzzle, also be aware of how your security practices have changed operations. Word to the wise: if using specific tools means staff can’t do their jobs in time to meet client or management expectations, they will find alternatives and work-arounds. Security-savvy staff can help reduce the risk of human error, but don’t forget that the reason security tools exist in the first place is to serve and protect the business; not the other way around. Here you need to get IT and operations in the same room: what are the current expectations? Are there any obstacles to using security tools, including increased time, stalls, user disconnect or failure to meet business requirements? To be effective, a security plan needs buy-in and confidence from all parties involved, and the less inconvenient for staff to use, the faster the adoption rate.
Making security part of your corporate culture makes good business sense. Information and data saved and moved through safe channels are less likely to be stolen, while a staff that is already active in best practices reduce the risks. Ongoing security awareness efforts also create additional benefits: as new threats, vulnerabilities and challenges continue to erupt online, staff can report on odd happenings, and IT can notify others if new phishing schemes or troubles have been spotted. When everyone considers part of their job to protect the business’s information and data resources, it raises the bar, and provides the level of protection your organization deserves.