This is the first in a three-part series written for National Cyber Security Awareness Month. [next post]
For the IT professionals on your team, cybersecurity is a concern that’s woven into the fiber of every task, day in and day out. That’s at least partly because cybersecurity is a key job responsibility for them – their performance hinges on, and is measured by, their ability to keep company data and systems secure.
But for other employees at your company, including members of your C-suite, cybersecurity can be far removed from their day-to-day consciousness. In fact, unbeknownst to them, their to-do lists may even include tasks that are in direct conflict with the airtight security the IT team is trying to achieve.
The cybersecurity disconnect starts at the top
According to the 2016 Dell Data Security Report, almost three-quarters of IT and business decision makers agree that data security is a priority for their organization’s C-suite. But despite this, IT teams still report that senior executives don’t pay enough attention to security concerns, and about 25 percent don’t feel their C-suite is informed about data security issues. Moreover, only one in three respondents feels very confident in their C-suite’s ability to budget enough for data security solutions over the next five years.
The trickle-down effects
This disconnect trickles down to the rest of the workforce. Dell’s 2017 End-User Security Survey found 72 percent of employees are willing to share sensitive, confidential or regulated company information if it helps them accomplish their day-to-day tasks. Moreover, the way employees share this information is often unsafe. More than half of employees (56 percent) use Dropbox, Google Drive, iCloud and other public cloud services for sharing or backing up their work, and 53 percent use a personal account to access these services. Forty-five percent of employees use email to share files with contractors and other third parties.
And despite the fact that 63 percent of employees receive cybersecurity education training, 24 percent engage in unsecure behaviors to get their job done.
So why does corporate leadership say data security is a priority but then fail to act accordingly? And why isn’t cybersecurity education keeping employees from making bad choices? Well it’s simple. Most people in an organization are not measured on their security hygiene. They’re measured – and rightly so – on a variety of metrics to demonstrate productivity and success based on their department’s and the company’s goals. So what can be done to help ingrain security throughout the entire organization?
IT teams must have a seat at the table
The IT team is a vital stakeholder and knowledge center for most corporate initiatives, but often they’re required to simply react to business plans that are already underway.
When IT teams aren’t involved from day one in designing and vetting major company initiatives – such as BYOD programs, mobility and work-from-home programs, policies and procedures surrounding the use of contractors, and other scenarios common in today’s workplace – budgets won’t be allotted correctly and the right technology, policies and procedures won’t be implemented.
Security curriculum, policies and procedures must be based on real-world scenarios
Even in an ideal situation where an organization’s C-Suite is well-versed in security issues, and IT has the opportunity to weave cyber security best practices into the overall business strategy, it is crucial that education, awareness, policies and procedures trickle down to every employee at the company. Some cybersecurity risks are more obvious than others, and the assumption that everyone in the company understands all the risks is a dangerous one. Framing security risks in terms of real-world examples and scenarios can help everyone in an organization get smart on the issue.
For example, most employees will recognize that they can’t share customer credit card information with anyone. However, a marketing manager may not think twice about sharing a customer list with personal identifiable information on it with a contractor – information that could be used to engage in identity theft if it fell into the wrong hands.
This is why it’s vital to communicate policies and procedures using real-world examples that employees are likely to encounter:
- What should they do if a supervisor tells them to share a certain file?
- What type of information can be shared, how and with whom?
- What are the potential consequences of violating these policies?
Employees must be empowered to be productive – safely
Education is important, but it’s not enough. Companies must give employees the tools they need to do their jobs more securely.
Dell believes effective security should embrace the way employees work, whether it’s when they are in the office, at home or on the road. That is why Dell has gone beyond protecting data at rest to protecting it no matter where it goes, controlling and tracking access along the way with Dell Data Guardian, a solution we developed-in house to provide file-level encryption and enterprise digital rights management to protect, control and monitor data both inside and outside of the network. Data Guardian goes above and beyond data encryption by protecting data when it moves to another device or is in use.
In this new era of mobility and digital collaboration, cybersecurity is everyone’s business. Data security shouldn’t be a productivity-killing hassle for employees or an uphill battle for IT teams – it should be a seamless collaboration, with each team playing its part to make security best practices easy to understand and ingrained throughout the workplace.