Achieving the Ultimate Buy-In: Getting Everyone in Your Organization Thinking and Acting with the Data Security in Mind


Posted on by Tony Kontzer

It's no longer a secret that relying on your company's IT security team to be the sole provider of workplace cyber security is folly. Recent incidents such as the WannaCry ransomware attack and the catastrophic Equifax breach remind us that in today's cloud-dominated, always-connected, device-centric world, everyone connected to a business—from employees and management to contractors and customers—plays a role in keeping data secure.

In fact, the concept of workplace cyber security being everybody's business has emerged as a major theme of National Cyber Security Awareness Month, which just happens to fall in October. Take a look around the Internet, and you'll find numerous chances to brush up on the topic.

There's a Symantec webinar next Wednesday; the Indiana Information Sharing and Analysis Center is hosting a free panel discussion on Thursday; and the topic is an area of focus next week at schools like Hunter College in New York City and Blue Ridge Community and Technical College in Martinsville, W.V.

There's a reason we devote a month to cyber security awareness: Because it's an increasingly big deal, one that we need everyone to give serious attention. And personal responsibility is a growing part of the security paradigm. Lamenting the need to embrace that responsibility is a national pastime, but allowing those laments to dictate our actions can bring grave consequences.

"I get it, passwords are a pain," says Kate Bischoff, an employment attorney and HR consultant in Minneapolis. "That doesn't mean that we get lax about protecting them or taking this information seriously."

Take the 2014 Sony Pictures hack, which was made possible by the fact that the company maintained a list of passwords in a spreadsheet labeled "passwords." It was the kind of exposure someone should have noticed, and which could have been easily fixed in minutes. Ignoring it, and thus allowing the breach to occur, led to Sony having to settle a multi-million-dollar class action lawsuit brought against it by the employees whose data was compromised and shared.

Not only did the incident expose employee data, it also introduced a serious crack in the trust between Sony and its employees.

"If you've let a hacker get my stuff and sell it, now I've got fraudulent tax returns filed and other problems, I might not trust you to protect my data," said Bischoff.

While Sony should do a better job protecting its employees' personal data, it also must enlist those employees to better safeguard the data themselves, for their own benefit and that of the company. In other words, security has become a symbiotic mandate.

But that introduces a challenge: How do you ensure that employees are equipped to help safeguard data? The hard truth is that the organization actually has to let its guard down to accomplish this by simultaneously training its employees in security basics while also giving them the keys to the data they're supposed to protect.

"You can't expect people to attend to good security unless they know what it is," says John Sumser, editor-in-chief and principal analyst for the HR Examiner. "You also can't teach someone how to keep the gate locked without showing them how to unlock the gate."

Bischoff advises companies to get employees thinking about security as a component of their everyday responsibilities. That means making them aware of why certain processes happen the way they do, how data moves around and when it's most vulnerable, what their specific responsibilities as data stewards are, and perhaps most importantly, what they should do if they see something goofy.

Sometimes, simply empowering employees with some new skills and insights will result in their taking more pride in a task, especially when they're making their own data safer in the process.

Roland Cloutier, chief security officer at ADP, agrees, suggesting that companies set the tone from the top by making it by communicating what employees can or can not do with data, and setting clear and reasonable behavior standards around accessing and using data. Cloutier believes that people are basically good, and that they'll rally around the cause if they understand the risks, and how important they can be to reducing them.

"They're not security professionals. They need to be instructed," says Cloutier. "They want to do the right thing. You've just got to set expectations."

And the most important expectation to set is the most overarching one: That we're all in this together, and that the responsibility falls upon all of us.

Contributors
Tony Kontzer

, RSAC

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs