Recent data breaches such as the Ashley Madison1 and TalkTalk2 sagas have painted a very grim portrait of the state of corporate data protection, but also a very honest one. The root cause of many of these high profile breaches comes down to simple human error. Businesses need to understand, educate, and put in place, the necessary protection and security policies to combat the issue of data security.
As the amount of data we are handling increases, the variety of devices in which we store it grows, and the multiplicity of places in which we access the data spreads, the need to secure sensitive information has become paramount.
New research, conducted by IronKey by Imation and Vanson Bourne, surveyed 500 IT decision makers in the UK and Germany to uncover the risks of remote working and inquire into the security measures organisations have in place. The findings raised concerns over senior management, with 44 percent of organisations believing that a member of their senior management has lost a device in the last year, whilst 39 percent say senior management had a device stolen. Even more concerning is that the vast majority (93 percent) of these devices contained work related data, including confidential emails (49 percent), confidential files or documents (38 percent), customer data (24 percent) and financial data (15 percent).
The results highlight that it is not only non-senior employees putting corporate data at risk, but those at the top who are failing to educate on data protection, but also failing to put even basic security in place when it comes to their own security practices.
The ramifications of a data breach can be considerable. Aside from the obvious financial and reputational damage, there is the threat of losing your employment. You only need to look at the 2014 Target breach3 in which two senior employees left the company as a result of the security failings there, and more recently, when global cyber-security company, Symantec, dismissed several staff members after they were caught issuing fake Google SSL certificates4. The IronKey research evidenced the threat to employment with thirty seven percent of the survey respondents aware of someone in their organisation having faced disciplinary action due to lost files or work data, and 32 percent aware of an employee having lost their job as a result within the last year.
The research highlights the reality of data loss and the need for more education to manage the security of corporate data and protect employees from the repercussions of a data breach. Educating users and executives is one of the most crucial in reducing a company’s vulnerability to an attack. Whilst IT departments are providing some of the necessary tools and putting some policies in place to ensure employees are keeping data secure, it is clear that those at the top of the corporate ladder are also increasingly likely to put confidential company information at risk.
Education plays an important role in data security. Our research showed that 67 percent of surveyed businesses are aware of employees breaking their organisation’s security rules to take work outside of the office. Businesses need to put policies in place and enforce them, ensuring that employees are aware of the procedures and that they are straightforward enough that employees will not look for opportunities to break the rules.
Data should always be encrypted, passwords must be protected, and organisations must be confident that all devices have the necessary policies applied and that devices can be remote wiped in the event that they are lost or stolen. Education should start at the top – whether a senior level employee or not, the security rules and best practices apply to everyone. No-one is exempt from a security breach.
- BBC News Online – Ashley Madison infidelity site’s customer data ‘leaked’.
- The Guardian – TalkTalk customer data at risk after cyber-attack on company website.
- ZDNet – Target CIO Jacob resigns following data breach.
- V3 – Symantec fires employees for issuing rogue Google security certificates.
[su_box title=”About Nicholas Banks” style=”noise” box_color=”#336588″]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.