The moment a data breach occurs, finger pointing begins. Was it a reckless employee? Or the IT Department was not building enough protection? Was there inadequate training? Or maybe vendor data introduced a security hole.
In most cases there is not a single person or a single event to blame but an accumulation or combination of inadequate security measures.
Five years ago, Richard Smith, former CEO of Equifax testified before a Senate panel that responsibility for a massive breach of company data ought to be assigned to a single employee who failed to install a patch, which was ultimately exploited by a malicious attacker. He also blamed vulnerable software (Apache Struts) as well as a scanning tool used by Equifax to search for vulnerabilities.
It became convenient to identify everyone and everything as the cause when it was too late. We also hear that Chinese hackers are to blame, or maybe faulty software, or a cleaning lady. Corporate and technology leaders need to take responsibility here, because poor planning and training are often the root cause.
Recognizing the following key roles, responsibilities, and productive steps can help to break the blame game cycle.
IT Department
The primary responsibility of the IT Department is to protect corporate data. Secondary to that should be keeping the technology infrastructure working, developing useful applications, and/or purchasing the necessary software.
Safety of the data includes encryption of information, proper backup and restore processes, and the validation of secure networks and computers.
Management
You would think that with continuous breaches and cyber threats that management would be all in on security. Some do and invest accordingly, but many others are not paying enough attention to data protection. IT Departments should educate all levels of management of the dire ramifications of security breaches. A sufficient budget should be allocated for training, data encryption, validating and patching company computers.
Employees
The easiest “soft” targets to blame are the employees. But in most cases inadequate training of employees is the true weak link. The behavior of individuals in most cases contributes to a breach. Appropriate training would have taught them not to open suspicious emails, or visit untrusted websites, or connect personal devices to the corporate network.
External Vendors
Nearly 50% of security breaches originate with the company's external vendors. Instead of placing blame on the vendors after the fact, work with them to make sure their environment is as secure as your own ought to be. By selecting vendors based on lowest cost, and closing our eyes to their security deficits we temporarily gain short term financial benefit at the risk of much greater expense later.
Conclusion
Punishing employees is not a solution. The whole organization should take shared responsibility for protecting the data. Create a positive culture in your organization regarding security. Instill an attitude of vigilance and confidence to discern threats as they arise. Encourage employees to report incidents and not to worry about being punished if a data breach has occurred. From implementing suggestions on how to secure the organization, to providing sufficient budget for IT to perform training and encrypt data, create a foundation of responsibility and a plan of action to take if/when a security breach has been identified.
Start with the following steps:
Regular security training of employees should be conducted. This should include instruction on how to identify threats and breaches
Make it clear to employees that they will not be punished for reporting mistakes or breaches
Simulate security attacks to identify vulnerabilities
Comments