October is National Cyber Security Awareness Month, and this year’s theme is meant to remind individuals of their role in securing information, as well as the devices and the networks they use. Failure to understand this relatively simple cybersecurity message can have embarrassing consequences, as banking giant The Goldman Sachs Group, Inc. learned earlier this week when hackers published the personal information of several employees, including CEO Lloyd Blankfein.
Goldman Sachs was not the only big name in the in cybersecurity news this week. After news surfaced that Facebook had been gathering information about the websites its users visited even after users logged out of the social network, two congressmen urged the Federal Trade Commission (FTC) to investigate the company’s practices.
In a letter to the FTC, Congressmen Edward J. Markey (D-Mass.) and Joe Barton (R-Texas) said tracking users’ behavior without their knowledge “raises serious privacy concerns.” Facebook says it is working to correct the matter, but Barton and Markey want the FTC to investigate and make sure the practice is stopped. Barton and Markey also urged the FTC to investigate the use of so-called “supercookies” that allow websites to capture personal data about consumers.
Daniel Conroy, CISO and global head of information security at BNY Mellon Corp., says organizations should make clear to employees their role in protecting their own — as well as the company’s — sensitive information. Conroy said protecting data starts with communicating to employees what is acceptable and what is not with regard to risk management. He suggests providing security awareness training to all employees.
“If employees don’t know what information is important to the company, how are they going to know what not to post?” Conroy asked during a presentation at the MIS Training Institute’s IT Governance, Risk and Compliance Summit in Boston last month.
Conroy focused on how the expansion of social media makes sensitive company information especially vulnerable — and noted that it’s important to establish a balance between satisfying business needs and mitigating risk when using such sites. He noted that avoiding things as simple as posting organizational charts at companies online could go a long way toward avoiding leaks of business info. Most importantly, he suggests companies anticipate the evolving risks as part of a cybersecurity strategy, and communicate these risks to all employees. Companies could go so far as to create a security awareness campaign using techniques such as posters, videos and email blasts to get the message out and encourage employees to participate.
The bottom line is that protecting information starts with the individual. With more people incorporating personal technology in their business activities, companies can be hurt when personal information is leaked. As a result, companies would be well served to show employees how they can protect themselves and the information they offer online … which will in turn help the protect the business.