It's tempting to think of information breaches as the plight of high-profile companies, characterised by targeted attacks executed by criminal masterminds.
However, the truth is that these incidents happen to businesses both large and small, and the majority are simply the result of human error.
Lost hard drives, careless file sharing and leaving sensitive paperwork out in plain view are all too common causes of embarrassing and damaging data leaks. Just last month, a London City worker was dealt a £75,000 fine for sending confidential client information over mobile messaging service, Whatsapp. It goes to show that the real threat to your business is probably much closer than you think.
But creating an environment of information security isn’t just about getting IT systems in order and educating staff on the protocols, it’s about breaking hazardous habits and building new and safer ones, ultimately reducing risk. A workforce may fully understand and accept its data security policy, but getting staff to implement it is an entirely different story.
There are four key activities businesses can conduct to reduce risk and create a watertight culture of information security in the workplace.
First and foremost, every employee should be offered training and education on information security in order to understand the risks and how to avoid them. This should be a continuous effort, not just a one off training session.
Businesses must also think creatively about the format and delivery of training. The subject matter may seem dry and sit low on the agenda for many; therefore sessions should be highly interactive to ensure 100 per cent engagement.
Talking at people for half a day will have little impact on behaviour change. Try practical exercises with plenty of opportunity for discussion and debate. It should be an open forum so consider it a red flag if employees have no questions or queries throughout the session.
Self-policing is guaranteed to get employees engaged in data security especially by adding a competitive and light-hearted approach. Encourage your workforce to be on the lookout for anyone that has walked away from their desk without locking their computer or has left confidential paperwork visible so they can stage a hijack.
It won’t take long until employees lie in wait to see if one of their colleagues slips up, prompting an impersonation email to the financial director requesting their monthly wage be donated to charity. You’ll be surprised at how few become repeat offenders with a system like this in place.
Set up a phishing email programme for all staff and monitor their responses. Those that raise dubious emails as a security issue should be rewarded for their vigilance.
It goes without saying that many cyber attacks or information losses start via suspect emails sent to businesses. Those that fail to report emails (or worse, click on the embedded links) should be educated further on what they should be on the lookout for. Not only will this allow you to identify and address liabilities within your organisation, you’ll incentivise secure behaviour and quickly instil new habits which could prove invaluable in the event of a genuine threat.
Consider adding a clause into your HR policy detailing specific disciplinary matters associated with an information security breach. All fun and games aside, your employees should be made well aware just how seriously your business takes matters of data security.
Information security is no longer the sole responsibility of IT and compliance departments, as it has been for many years. With employees dealing with ever increasing volumes of information, across multiple formats and devices, individual accountability is now paramount. Facilitating a cultural shift internally is perhaps the most challenging part of achieving this, but you’d be foolish not to make it a priority. After all, the biggest security threat to an organisation comes from within.
Andrew Bridges is data quality and governance manager at REaD Group.