Improving Data Privacy One Employee at a Time
Published 02/04/2016
By Rick Orloff, Vice President and Chief Security Officer, Code 42
It’s no Hallmark holiday, but here at Code42, Data Privacy Day is kind of a big deal. We think it should be a big deal for your organization, too. It’s a great chance to focus on the biggest security threat in your organization: your end users and their devices.
As IT and InfoSec professionals, we spend a lot of time on complex strategies that protect us from the most sophisticated cyber threats. And then we spend more time cleaning up the messes that employees get us into just by clicking corrupt links. These unintentional “user mistakes” are the biggest insider threat today, causing around 25 percent of data loss.
Your end users don’t care about data security procedures
Why are end users so mistake-prone? Because, frankly, most don’t care. They think data security is IT’s problem—that if IT does its “job” and filters out the threats, they have nothing to worry about. Moreover, when they do something stupid, they think it’s IT’s job to come to the rescue. They don’t understand the risks they create for the company or the fact that once rung they can’t unring the bell. So, they go on ignoring security policies and finding creative workarounds for security measures that inconvenience them—such as utilizing “shadow IT.”
This is changing, and we’d like to help.
Code42 + National Cyber Security Alliance = Data Privacy Month 2016
Code42 is partnering with the National Cyber Security Alliance to champion Data Privacy Day and the entire Data Privacy Month of February. We’re helping enterprise security professionals address the problem of end-user education and motivation.
Making data security an end-user responsibility
Ready to celebrate this joyous holiday? Then it’s time to “talk turkey” with your end users. Here are some key considerations and topics to get you started:
1. Security education should be an in-your-face affair
Talk to employees, face-to-face. They ignore your emails and videos.
Your employee education has to a) deliver a crisp, meaningful message; b) demonstrate that security is a core responsibility bestowed by executives; c) close the loop between what you say and what employees understand; and d) hold employees accountable. Part of holding employees accountable is providing the easy-to-use tools and capabilities employees need to work.
2. Focus on keeping a clean machine
You might not be able to win the fight against “shadow IT,” but make sure your employees understand exactly how an unknown or unapproved app can quickly lead to a massive data breach that extends far beyond their device. It’s also important that they see how apps for personal use (social media, gaming, etc.) are not designed to offer the same level of data security as enterprise-grade productivity apps—and why installing these apps on work devices creates open doors to the entire enterprise ecosystem.
3. No more lazy passwords
This one can be fun. See if you can guess your end users’ passwords. It’s amazing how many people use something like “password” or “123456.” Call them out on using the same password for every login (as 73% of enterprise employees do). Call them out on never changing their passwords (47% of people use passwords that are 5+ years old). Take the group on a cubicle tour and see how many Post-It Note passwords you can find. If you haven’t already, implement technical controls to support your policies.
4. Have doubts? Throw it out
This one’s simple: Don’t be gullible. Don’t be stupid. Remind them not to open emails, click links or open attachments from unknown or suspicious sources. It’s uncanny how many people say, in retrospect, that “something seemed odd” about that email in broken English—but they figured the spam filter didn’t catch it, so they clicked the link. To that end, make sure they understand that spam filters are just the first line of defense—that they’re not perfect. Show them how to use your company’s spam filters: how to make sure filters are on, how to refine the filtering by flagging spam, and how to report a suspicious email, attachment, etc.
5. Endpoint backup is your best friend
Make sure your employees know that endpoint backup is the closest thing to a “Get Out of Jail Free” card in the data security world. The best way to get employees to embrace endpoint backup is to promote its benefits. Demonstrate how the “utility” makes it easy to work anywhere and recover any file in real time with or without the original device. This capability (with no IT intervention) will make IT the hero when employees lose data or suffer a malware attack at a critical moment.
6. Make the call for accountability
Make it clear that data security is everyone’s responsibility and that it’s not a cliché.
End users are actually the ones on the front lines of the battle—IT and InfoSec teams are more like the generals pushing big-picture strategies. End users are often the primary points of attack and need to embrace the defense strategies provided to them. They need to understand that all the fancy security tools in the world are worthless if they don’t follow the rules. They need to understand the true impact of even a tiny mistake—that IT can’t always “fix” it, and that a small error could easily lead to immense costs, lost productivity, brand damage and more. This can’t be understated. Most importantly, no employee—even trusted administrators and executives—should expect absolution for their ignorant or careless actions. At Code42, several data privacy “no-no’s”—not having full disk encryption on laptops, disabling Code42 CrashPlan for any reason, etc.—are fire-able offenses. Considering the damaging impact of data loss, we don’t think this is harsh—we think it’s critical to creating a culture of accountability.
Be privacy aware. Take the pledge and enter to win an iCloak.