UK firms are suffering a record number of security breaches . The root cause is often a failure to invest in educating staff about security risks, often only recognised after the event.
Reading through the rather good ‘Information Security Breaches Survey’ from PWC, there are a number of points which jump out at me.
“Possession of a security policy by itself does not prevent breaches; staff need to understand it and put it into practice. Only 26% of respondents with a security policy believe their staff have a very good understanding of it; 21% think the level of staff understanding is poor.”
I have been banging this drum for a while and whilst it seems like common sense to raise awareness of security policies, the common problem for company’s is how to embed a culture of security without interrupting workflow and then how to enforce a policy in a manner that is non-intrusive, practical and measurable.
“Overall, breaches caused by staff were at a similar level to the 2010 survey, which was a substantial increase from 2008. As in the past, large organisations are much more likely to have these breaches than small ones. Four-fifths of large organisations reported such breaches compared to just under half of small businesses. The biggest single contributor is staff misuse of the Internet and email.”
This is so important it is worth repeating, the BIGGEST single contributor is staff misuse of the Internet and email.
So we have a blend of staff, security policy, culture and email which is creating a perfect storm for data breaches. (I am covering email not the Internet here as a recent Symantec study revealed that 80% of data breaches were via email).
There is not a single answer to this, albeit the DLP vendors would have you think otherwise, but there is a quick and cost effective win.
Where Do You Start?
Implementing a user driven data classification solution such as TITUS software covers off the majority of the points to address the biggest single threat to a company’s data.
When an email is created the user classifies the security level of the email with 1 or 2 clicks.
The staff are guided to classify correctly based on your own security policy
The mere act of classifying forces the user to think. Backed up by immediate alerts on screen of security policy breaches.
The email cannot be sent if it breaks the security policy.
Each email has imbedded metadata which can be used by downstream technologies e.g., DLP, Encryption, RMS, e-Discovery and so on.
Lastly a word from PWC.
The average cost of the worst security breach for large organisations was between £110,000 and £250,000, while for small businesses the cost ranged from £15,000 to £30,000.