Changing the Security Culture within an Organisation – How to be Forearmed Against an Internal Data Breach

By   ISBuzz Team
Writer , Information Security Buzz | May 20, 2015 05:08 pm PST

Hindsight can be a wonderful thing, but when it comes to data security and potential breaches, it’s best to ensure that your security policies and tools are able to protect your organisation. Yet, despite the regular headlines caused by high-profile data breaches, many organisations still do not know how best to react once breached or, indeed, follow best practice to prevent a breach from happening in the first instance.

New research conducted by Bloor Research, in conjunction with Boldon James, highlighted data security as a critical or serious concern for most organisations surveyed, with data classification recognised as a foundational tool for ensuring data security. But whilst organisations may have the best intentions, some are still missing a trick and suffering with potentially-costly data breaches that not only impact on revenue (particularly with the impending European General Data Protection Directive set to come into effect shortly) but also their reputation within the industry and customer base.

So what measures should organisations look to implement, both in advance of, or after, a breach to ensure they have effective information governance strategies in place?

Don’t spend, spend, spend on any old security tool

Imagine the worst has happened and your organisation has suffered a data breach because a highly sensitive document was shared with a third party instead of a colleague. What do you do? Our research revealed that the most common reaction following a data breach (accounting for 86% of respondents) is to pump money into purchasing new data security tools and attempt to tighten security policies, assuming this will diminish the risk of future breaches.

This poses the question of which tools do you actually need? Is it a firewall, a Data Loss Prevention (DLP) solution, a Network Access Control (NAC) device, Security Information and Event Monitoring (SIEM) solution? All of the above? Organisations are faced with lots of options on new and next generation tools to purchase, but before they can make a choice they must also decide what it is they need to protect and how they are going to solve the overarching problem of understanding the value of the data to the business – if you don’t know what your data is, how can you decide how to protect it?

Many analysts including Forrester and Gartner now recommend that organisations adopt a data-centric security strategy. This means deploying tools that ensure the security afforded to an email or document (or any data within the corporate network) travels with that data throughout its lifecycle to inform any and all security decisions. Organisations can no longer just set up security policies and permissions that end at the network perimeter. With an increase in the ways data is shared and also the devices on which data is held in the workplace, data needs to be stored and communicated carefully and correctly to minimise the risk of a data breach, particularly with the advent of the BYOD and CYOD trends within businesses.

Include the users; don’t hide data security from them

One of the biggest assets organisations already have when implementing new security arrangements is often the one neglected from the beginning – the users. Historically, anything to do with IT Security was kept away from users by IT teams concerned that it was either too complex, too disruptive or required specialist skills to execute. However, this mind set needs to change and is changing –  in reality, users are already on the frontline of data security, as they are the ones creating and handling the data and therefore are best placed to understand its value to the business. Our research revealed that 60.5% of organisations focus on increasing user awareness and training following a breach, which is a positive sign. Including users expands the reach of IT security across the entire business and gets users proactively thinking about how to protect information and prevent a breach.

Such was the case with Allianz Ireland who implemented a user-driven data classification solution into their organisation in order to protect sensitive and valuable information assets and distinguish between the different types of data used by their organisation. The solution forced users to select a classification value before a document could be shared or an email sent. Within several months, they not only saw a 60% improvement in employee awareness of data security practices, but also found a significant reduction (89%) in breaches.

Changing the culture and perception of security

In order to make a real impact within an organisation, either before or after a data breach, there must be a change not only in the data security tools and policies, but a change in the security culture within the entire business. Implementing a data-centric security approach, driven by users’ knowledge of the value of the data can deliver tangible business benefits and reduce the risk of a data leak.

By Martin Sugden, Managing director of, Boldon James

Martin-SugdenBIO: Martin joined Boldon James in 1998 and has over twenty years experience in the Security Industry. He led the Management Buyout (MBO) of Boldon James backed by ISIS Equity Partners and the subsequent sale to QinetiQ. His career began with Ernst & Young as a Chartered Accountant and he has been the CFO of two LSE-listed companies, the first of which he floated. His main passion is business development and he has held significant roles in a number of blue chip UK and US companies. Martin has an honours degree in Economics and Geography from Bradford University.