When it comes to cybersecurity breaches, we have seen the enemy, and the enemy is you. More specifically, it’s your fellow members of senior management. In three separate midmarket studies released this month, the majority of participants pointed the finger of blame squarely at themselves when asked to identify their company’s biggest data security risk.
With so much news about large-scale data security breaches at major companies — including Target and Neiman Marcus, just in recent weeks — there’s been a lot of focus on the outsiders who are finding their way in. Who are these super-hackers, able to burrow into data these big companies have paid millions to protect? Of course it’s important to identify the perpetrators, but there’s also something to that whole ounce of protection being worth a pound of cure.
In the largest of the three studies, a Stroz Friedberg online survey of about 700 information workers, more than half graded the response of American companies to cybersecurity threats a “C” or lower. Almost three-quarters said they were concerned that hackers “could break into their employers’ computer networks and steal their personal information.”
The biggest perpetrators in this survey were those in top leadership positions. Call it carelessness, call it hubris, whatever you call it, it puts a company’s assets at risk. A majority of senior management respondents — 58% — said they’d accidentally sent sensitive information to the wrong person via digital means. Another scary number: Nine in 10 senior managers copped to uploading work files to personal email and cloud-based accounts, potentially opening their companies to data theft and network attacks.
So what’s a CIO to do, in addition to keeping his or her own behavior in check, that is? The experts seem to agree on three steps: education, education and more education. In the Stroz Friedberg survey, respondents who said they avoided risky digital behavior pointed to strict company policy as the reason. That’s great, but there’s probably a little more to it. A company can have the tightest security policies in corporate America, but if no one reads them, they’re worthless. These policy-abiding employees likely come from companies where leaders take the time to make sure the rules are fully understood. Former White House CIO Theresa Payton put it well in a conversation with SearchCIO about cybersecurity:
“It needs to not be that thing the security group does; it needs to be something that’s seen as a part of the corporate culture — not a once-a-year ‘check it off the list,'” Payton said. “It’s posters, it’s conversations, it’s case studies, it’s healthy competitions where you’re playing Internet safety games, it’s a variety of different things. In the beginning, it’s got to focus on the individual, because that’s how they’re going to remember it. ”
As for getting the data security risk message to fellow executives and senior management, Payton had some helpful tips for that as well. Even if you regularly provide them with security briefs and information, they may not be reading/remembering that information — so find ways to make it stick:
- Communicate in their terms, according to their goals and directives. Connect your security information to their important business initiatives.
- Look at the company strategy. Tie your security conversation to individual company objectives.
- When new projects are announced, talk about the changes you’ll be making to security to accommodate that project.
What are your best tips for curbing data security risk? Drop us a note in the comments.