Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Cyber Security Group

It's 2013 For Goodness Sakes!

Created: 20 Mar 2013 • 1 comment
Phil Harris's picture
+1 1 Vote
Login to vote

You know, it’s 2013 and we still have this issue of employees believing that corporate data is their own to do with as they please. In a recent Ponemon survey report ~two thirds of employees believe this to be true. Unfortunately, this is an incredibly big problem going forward with the advent of Cloud and Mobility. We now have more places that data can be placed than ever before and, more importantly, without the employers’ knowledge in most cases. So, the question is this! Why is security awareness failing to meet the mark after all these years?

Well, there may be a couple of different answers to this question: 1) It’s possible that most companies don’t understand the value of the information they have and, hence, aren’t training employees (properly) about their responsibilities regarding corporate information; or 2) Companies still don’t see security awareness as an important element of driving employee conduct in their organizations.

I’ve been in information security for a while now and this issue of employee security awareness still mystifies me that there’s either not enough of it or that it’s even occurring in companies – even regulated ones. The simple answer is that employees don’t own the data created, used, processed or even disposed of, even if the employee had a hand in the creation of that information. Unless of course the employee and company had a specific agreement in place that stipulated ownership to the employee – rare, even in the most extreme cases.

There are too many options for employees to copy or otherwise take information and move it to a place where they can use it down the road. Cloud and Mobile exacerbate this issue given the ease by which information can be moved or copies without anyone’s knowledge. Many companies today are still trying to catch up with data monitoring and discovery just within their own networks let alone as the data moves outside the company.

So, what to do? Well, companies could continue to stick their heads in the sand and claim blissful ignorance, claim this is a chicken and egg problem whereby if they don’t have the ability to effectively monitor information theft, then there’s no use in creating employee awareness, or they could just simply create another responsibility for Human Resources to conduct employee security awareness training as a key part of all employee awareness training and do this at new hire and on an annual basis. AND, if you have some budget, look into creation of a Data Loss Prevention program to at least monitor where your data is going and also to help remind employees automatically when they’re violating policy.

My key message to companies out there! It’s bad enough that hackers and attackers are stealing your information, do you want your employees to adding to this problem? Implement basic security awareness training and implement basic solutions that can help remind employees of their responsibilities.

Comments 1 CommentJump to latest comment

hforman's picture

I feel the same way.  But it is technically, worse!  The data does not actually belong to the company, in many cases.  It actually belongs to the company's customers/clientele.  If I buy something at a store, does my credit card info belong to the store or to me?

Throw in governance:  HIPAA, HITECH, CJIS, PCI-DSS.  So now if employees think they can put this data on a laptop or tablet and work at home and the device is lost or stolen, whho pays the $12 million in federal fines?  What about third-world employess of public cloud services that as their employees to read through everything you upload and then sell/give the data to third-party organizations?

Some items of modern technology have set data security back at least 10 years... maybe longer.


Login to vote