You know, it’s 2013 and we still have this issue of employees believing that corporate data is their own to do with as they please. In a recent Ponemon survey report ~two thirds of employees believe this to be true. Unfortunately, this is an incredibly big problem going forward with the advent of Cloud and Mobility. We now have more places that data can be placed than ever before and, more importantly, without the employers’ knowledge in most cases. So, the question is this! Why is security awareness failing to meet the mark after all these years?
Well, there may be a couple of different answers to this question: 1) It’s possible that most companies don’t understand the value of the information they have and, hence, aren’t training employees (properly) about their responsibilities regarding corporate information; or 2) Companies still don’t see security awareness as an important element of driving employee conduct in their organizations.
I’ve been in information security for a while now and this issue of employee security awareness still mystifies me that there’s either not enough of it or that it’s even occurring in companies – even regulated ones. The simple answer is that employees don’t own the data created, used, processed or even disposed of, even if the employee had a hand in the creation of that information. Unless of course the employee and company had a specific agreement in place that stipulated ownership to the employee – rare, even in the most extreme cases.
There are too many options for employees to copy or otherwise take information and move it to a place where they can use it down the road. Cloud and Mobile exacerbate this issue given the ease by which information can be moved or copies without anyone’s knowledge. Many companies today are still trying to catch up with data monitoring and discovery just within their own networks let alone as the data moves outside the company.
So, what to do? Well, companies could continue to stick their heads in the sand and claim blissful ignorance, claim this is a chicken and egg problem whereby if they don’t have the ability to effectively monitor information theft, then there’s no use in creating employee awareness, or they could just simply create another responsibility for Human Resources to conduct employee security awareness training as a key part of all employee awareness training and do this at new hire and on an annual basis. AND, if you have some budget, look into creation of a Data Loss Prevention program to at least monitor where your data is going and also to help remind employees automatically when they’re violating policy.
My key message to companies out there! It’s bad enough that hackers and attackers are stealing your information, do you want your employees to adding to this problem? Implement basic security awareness training and implement basic solutions that can help remind employees of their responsibilities.