Whether trying to find ways to work around official systems to get on with their work or with more unethical intentions at heart, people are often seen as the weakest link in the security chain.
How can CIOs reduce PoPI liabilities resulting from employees’ actions that compromise data protection?
Employee actions that compromise data protection fall into 2 distinct categories in this regard: (1) intentional and (2) unintentional. Intentional acts by employees are deliberate, often in collusion with others and usually with some benefit accruing to the individual.
Such acts would fall under at least the company’s disciplinary procedure and most likely also the laws of the country, leaving the person liable to censure, prosecution and a likely impact to their working prospects.
Unintentional acts by employees that compromise data protection are more common and usually due to negligence combined with weak processes, poor data protection, lack of training and usually all three.
Highly intrusive process controls generally assume that employees are incompetent and likely to act in a negligent manner.
What is the balance between empowering employees to think better vs developing processes that cover every conceivable loophole.
For example, a sales person prints off the customer accounts just before he leaves the office because he wants to review them that evening before an early meeting in the morning.
An HR executive copies their department’s salary data to a flash drive as they don’t have a laptop and need to review the data on their home PC.
The sales person leaves his file of print-outs on the bus with all the customer data and the HR exec copies his salary data to his home PC which is visible to the neighbour through his unsecured home wifi.
Should the company ban printers and USB drives to avoid these unintentional compromises to data?
With access to confidential information, what strategies can be employed to defend the organisation against internal compromise?
The most important strategy is training a workforce in a way that goes beyond box ticking and really gets to the heart of why these skills are important.
At a recent townhall we had a talk from a professional hacker and he positioned the importance of cyber-security in an extremely interesting way.
The body language in the room changed and people were alert to the importance of protecting the bank’s assets and our customer’s information through their daily work habits.
A well known strategy of preventing intentional compromise is by ensuring that all staff take leave for at least ten consecutive work days each year.
Ongoing fraudulent practices often require regular covering up by people in key positions and this enforced ten day yearly leave period will “break the fraud cycle” very effectively because other people will have to step in and run those processes during that time.
The idea of “radical transparency” is permeating the software development world through improved ways of working such as Agile and DevOps.
If there is an open culture of learning about security, challenging poor practices and whistle blowing then this crowds out the protected spaces where bad habits become risks and risks become compromises.
Consequences are also important and staff must be aware of what will happen to them and the bank if they are negligent or intentionally compromise important processes that protect information.
Through strong training, consistent openness and a clear understanding of consequences it is possible that neither the HR executive nor the sales person would have compromised the bank’s data in such a manner.
Gartner is pioneering a technique called “people-centric security,” which focuses on encouraging people to make better security decisions by giving them a set of rights and responsibilities, rather than by trying to control them with dictatorial policies and controls.
What are CIOs’ opinions and thoughts around this?
The idea of people-centricity is already becoming entrenched in software development environments through the Agile principles that centre on trust, self-organising teams and a culture of empowerment.
Software developers are knowledge workers and perform best when they are free to work independently.
Current software development also requires creativity and innovative thinking which is often not possible with rigorous bureaucratic processes.
Empowering people with training and awareness, then trusting them with a culture of responsibility will also be good for improving security management.
When people feel subordinated to a process they abdicate responsibility; if you treat them as if they are incompetent it is highly likely they will be negligent.
With the complex nature of IT architectures in large organisations, the people factor is even more critical; it is either the weakest link or the most valuable compensating control.
Getting employees to think like security-conscious owners of their own business will ensure proactive measures that actually perform better than intrusive policies and controls.
A minimum security standard for IT architecture is still absolutely necessary but it is only effective up to a certain point.
It is crucial that business users of IT assets such as the sales person and HR exec mentioned above understand how crucial their role is in the value chain of data security.
IT standards can protect “data at rest” but it is often the “data in use” that requires employees to think carefully and avoid negligent behaviour.
Treating these users of data as valuable people assets in the organisation encourages them to think of their data assets in the same way.