By now, everyone is familiar with the major talking points surrounding digital security. We know the potential costs of ignoring security issues, as well as many of the steps required to prevent them.
What we talk about less, however, is how the people within an organisation contribute to digital security. Of course, there are the constant hiring issues and discussions surrounding IT security skills shortages, but that isn’t the point of this article. Instead, we are focusing on the individuals outside of your IT department who have a major impact on whether or not your data remains secure.
IT security threats are usually pictured as outside actors, from malware to black hat hackers to corporate espionage. While these threats certainly exist, a huge portion of data breaches involve insiders: the Ponemon Institute’s 2017 Cost of Data Breach Study found that 28 percent of breaches were caused by ‘human error,’ and a substantial portion of the 47 percent of breaches caused by malicious attacks were caused by organisation insiders.
Clearly, these can’t be handled in the same way as outside threats. Typical IT security safeguards won’t stop someone with legitimate access from negligent or malicious action. However, there are steps that can be taken, such as adopting the principle of least privilege, where all user accounts up to and including administrator accounts have the bare minimum access required to do their job. This won’t stop breaches, of course, but it can help minimise damage.
What can go much further than account restrictions is encouraging employees to share issues and concerns, fostering the so-called ‘employee voice.’ Listening openly and uncritically to employee concerns has two primary effects: employees can share concerns about practices or behaviour, highlighting issues before they become problems; and employees will be more inclined to bring up a potential issue with which they have been involved in a prompt manner, allowing a potential breach to be mitigated.
Fundamentally, this vital input will come from employees who feel that they are listened to and their concerns are taken seriously, thereby feeling better about the organisation of which they are a part. If an employee’s concerns are discarded out of hand, they are far less likely to bring up future concerns. If staff are routinely punished for minor issues, it is unlikely that anyone will admit to taking an action that could result in a security breach.
The primary difficulty with fostering an environment which takes the employee voice seriously is that it has to be embraced by the entire organisation. You won’t get anywhere trying to convince individuals that security issues will be taken seriously if all other concerns they raise are ignored, or there are routinely consequences for speaking out.
Clearly, empowering the employee voice isn’t everything and organisations still need to take every precaution to prevent data breaches. It is, however, a piece of the digital security puzzle that can be extremely expensive to ignore, but costs nothing to implement.
Source include: Ponemon 2017 Cost of Data Breach Study / IPA Involve Employee Voice
London, E2., £35k
Central London, £50k Neg DOE
Central London, £55k + OTE = £90K Yr 1
Central London, £72k + OTE = £120K Yr 1
Central London, £40k
Montreal, Canada., $80k Canadian.