The moment a data breach occurs, finger-pointing begins. Was it a reckless employee? Or the IT Department was not building enough protection? Was there inadequate training? Or maybe vendor data introduced a security hole.
In most cases, not a single person or event is to blame but an accumulation or combination of inadequate security measures.
Five years ago, Richard Smith, former CEO of Equifax, testified before a Senate panel that responsibility for a massive company data breach should be assigned to a single employee who failed to install a patch, ultimately exploited by a malicious attacker. He also blamed vulnerable software (Apache Struts) and a scanning tool used by Equifax to search for vulnerabilities.
Identifying everyone and everything as the cause became convenient when it was too late. We also hear that Chinese hackers are to blame, or maybe faulty software or a cleaning lady. Corporate and technology leaders need to take responsibility for this because poor planning and training are often the root causes.
Recognizing the following key roles, responsibilities, and productive steps can help to break the blame game cycle.
IT Department
The IT department's primary responsibility is protecting corporate data. Secondary to that should be keeping the technology infrastructure working, developing useful applications, and/or purchasing the necessary software.
Data safety includes information encryption, proper backup and restore processes, and validating secure networks and computers.
Management
You would think that with continuous breaches and cyber threats that management would be all in on security. Some do and invest accordingly, but many others are not paying enough attention to data protection. IT Departments should educate all levels of management on the dire ramifications of security breaches. A sufficient budget should be allocated for training, data encryption, validating and patching company computers.
Employees
The easiest “soft” targets to blame are the employees. But in most cases inadequate training of is the true weak link. The behavior of individuals in most cases contributes to a breach. Appropriate training would have taught them not to open suspicious emails, or visit untrusted websites, or connect personal devices to the corporate netwoemployees rk.
External Vendors
Nearly 50% of security breaches originate with the company's external vendors. Instead of placing blame on the vendors after the fact, work with them to make sure their environment is as secure as your own ought to be. By selecting vendors based on the lowest cost and closing our eyes to their security deficits we temporarily gain short-term financial benefits at the risk of much greater expenses later.
Conclusion
Punishing employees is not a solution. The whole organization should take shared responsibility for protecting the data. Create a positive culture in your organization regarding security. Instill an attitude of vigilance and confidence to discern threats as they arise. Encourage employees to report incidents and not to worry about being punished if a data breach has occurred. From implementing suggestions on securing the organization to providing a sufficient budget for IT to perform training and encrypt data, create a foundation of responsibility and a plan of action to take if/when a security breach has been identified.
Start with the following steps:
Regular security training should be conducted for employees. This should include instructions on how to identify threats and breaches
Make it clear to employees that they will not be punished for reporting mistakes or breaches
Simulate security attacks to identify vulnerabilities
Comments