There are a million reasons why technology can lead to a data security breach. I could sit here and write about all of them (and publish a novel as opposed to a blog), or I could just focus on the #1 factor in data security that affected ALL of us and ALL levels of technology in 2014 (and every other year for that matter): People. Here, I'll examine some pros and cons of how People influenced information security in 2014.
Pro: Increased focus on role-based security training
Organizations are starting to spend more budget on security training. On top of that, we’re seeing different members of the team getting security training that is contextual to their job function so they can understand not just what security awareness is, but why it’s important to implement it into their job. We’re also seeing that folks are becoming aware that it really is a human problem. A lot of data breaches are perpetrated because of human mistakes, and research report from Symantec and the Ponemon Institute actually put that number at about 35%.
Pro: Investment in security staff
According to the Ponemon Institute, implementing a strong security incident response plan and appointing a chief information security officer reduces the cost of data breach by 20%. Considering the cost of data breach, which is substantial (estimated at about $100 per record lost), that 20% has the potential to be a huge cost savings. Keep in mind, investing in security staff is a two-edged sword: on the one hand, you have to find them and recruit them, and on the other hand, you also have to do what it takes to retain them.
Con: A Majority of organizations do not have a formal training program in place
A recent Ponemon Institute study of nearly 1700 organizations found that 55% of organizations still do not have a security awareness program in place at all! Furthermore, 60% of those organizations had no plans or aren’t sure if there’s going to be a security awareness plan put in place in the future. These organizations fall into the tempting trap of assuming they don’t need to invest in security awareness because they haven’t had any issues or breaches. However, in this case, ignorance is NOT always bliss. The whole point of security awareness training is investing in ways to proactively train your staff to reduce your attack surface do not occur and spot vulnerabilities more easily. Attacks will happen -- accept it and make your staff more aware. Most attacks take advantage of known vulnerabilities or an assumption that people will do easy/dumb thing, e.g., leave the default admin login and password set for a certain application or piece of hardware unchanged. While it is impossible to prevent 100% of data security issues, it is possible to arm your staff with the necessary tools and knowledge to minimize them (it’s easy, actually).
Con: Many organization’s develop a “check the box” attitude about security training
Don’t get me wrong... Policies are wonderful. You need policies because they instruct your staff on what they’re supposed to be doing. However, it really is just a framework. For example, you can train your staff on password security best practices, but if they don’t actually understand why they need to change their password or make it more complex, they’re less likely to do so. And you need to remind your staff in more ways that a single training session. A full security awareness program is meant to teach best practices, hone ways to stay secure, and reinforce those messages. For instance, the combination of on-demand training, visual aids, interactions, quizzes, and collateral such as posters or regular mailers (e- or physical) can amount to leaving a profound mark on a person’s mind. Organizations should not make security awareness an annual policy, but rather an everyday conversation. And the more personal and meaningful you make it for your staff, the more effective the knowledge retention will be.