Your Biggest Security Threat? It Isn’t Hackers
If you think the biggest threat to your company’s information security is some shadowy hacker slipping in through the cloud, better think again. That’s according to a recent report by The Economist Intelligence Unit.
In fact, the biggest risk to information is actually employees, according to Information Risk: Managing digital assets in a new technology landscape. The report also notes that “Increased collaboration with third parties and outsourcing are doing more to increase risks to information than cloud computing, big data or bring-your-own-device (BYOD. Moreover, only one in four companies (27%) report an extensive awareness of information risk across the organization, the report says.
Major data breaches such as the Adobe password theft have grabbed the headlines and raised the awareness of the boardroom to security issues, but not necessarily in the right way, according to the report. Instead, such issues have focused awareness on break-ins and other cyber-attacks, leading executives to believe that if they can just protect against that, the company’s information will be safe. “More than three-quarters of respondents believe that information risk can largely be mitigated by technology fixes to hardware and software,” the report reads. “Yet the focus on cyber-attacks and technology fixes threatens to overshadow the central role that employees play in mitigating — and creating –risk.”
High-level cluelessness doesn’t stop there. Only one in four companies (27%) report an extensive awareness of information risk across the organization, and fewer than one in four respondents (23%) said they would know enough to take the lead in the event of a breach. In particular, in the past year over half (57%) of CEOs have not been trained on what to do after information has been lost or stolen. Moreover, the importance of protecting information has not filtered down to lower levels of the organization, either, according to the majority (57%) of respondents. The divisions most on the ball? IT and finance, where the most critical information is thought to reside.
The report also recommends a number of courses of action for companies to follow to improve security.
- Capitalize on high-profile cyber-attacks: Take advantage of the fact that the board is actually paying attention to security, even if it’s misguided, to win support for a comprehensive, company-wide view of information risk.
- Move beyond the view of information risk as an “IT problem.”
- Understand how information is used by the business: Make sure to include business units in working out what information is most critical to the organization.
- Educate, educate, educate: Make training relevant, and update it frequently. “Regular training should be tailored to the audience and avoid tick-box exercises,” the report warns.
- Develop a document deletion policy to at least reduce the amount of information that can be stolen and needs to be protected.
- If your company is working with third parties through outsourcing or other programs, make sure they’re on board: “Less attentive partners can be a ‘back door’ into your organization,” the report notes.
The report also notes that placing a monetary value on information is a “tricky but growing practice.” While only one in ten companies have assigned a monetary amount to all types of information they hold, the trend is moving in this direction, with half of all companies either putting a monetary value on some information or actively considering doing so, the report says.
Despite everyone’s best efforts, nearly half (48%) of organizations experienced a loss of information due to a data breach in the past two years, according to the report. Fortunately, though, the majority of respondents said they would not rule out doing business with another company suffering a breach.
That’s good to know, and flies in the face of conventional wisdom that having a data breach is something to be ashamed of and hidden. The report notes that a major hindrance to security has been a “cone of silence.” Too many companies seem to believe in security through obscurity and don’t reveal data breaches unless they are forced to by the government — thinking that admitting to them shows weakness on their part. But in the end, it’s only when victims share their stories that other companies can learn to protect themselves.