- Use Cases
- Why Dizzion
Dell recently put out a great survey that takes a look at how employees understand and act in regard to corporate data security. While there are of course some outlier employees who are trying to steal information, the Dell End-User Security Survey 2017 largely points to a major theme: employees worry about security, they just don’t know that they’re being unsafe or are willing to risk it in order to get the job done. From the survey:
“… even employees who have been educated on the risks of sharing confidential data without following security protocols have not fully “bought into” the consequences that can arise from this behavior. They understand their actions are risky yet still are not deterred by the potential consequences, which feel ethereal compared to the tangibility of their daily workplace tasks.”
By understanding the current state of employee cybersecurity, internal teams can learn how and where to beef up their programs and what additional solutions may need to be introduced to help further strength data security.
Thankfully, the study found that, overall, employees want to protect confidential information. They understand that risks exist and are even concerned that not being fully prepared or vigilant may cause an issue.
This underlying understanding of an individual’s responsibility to help protect corporate cybersecurity is unfortunately undermined by a general lack of knowledge (even after security training) and pressure to perform. So while employees mostly want to do the right thing, there are a few major obstacles standing in their way that form a large portion of continued security issues.
While the majority of employees understand the need for cyber security, they don’t always follow through with best practices. The reason for this gap is typically because they’re still unclear about how to protect confidential data or they opt for unsafe practices to achieve better productivity.
Productivity and ease trump security:
This creates a climate where employees may inadvertently cause a data breach despite their best efforts, or worse, cause a breach because they view security as getting in the way of doing their job effectively and efficiently.
The Dell survey makes it clear that organizations need to do a better job of training employees on cybersecurity and find ways to keep policies, procedures and standards top of mind for workers. Organizations also need to find a healthy balance between productivity and security – and ensure that message is reinforced at every level of the organization. (While it’s not a direct example, an unbalanced drive toward results above all else is arguably what caused the major Wells Fargo scandal.)
In light of the findings of this survey, though, it’s clear that organizations that are concerned about cybersecurity – particularly those within highly regulated industries – should consider taking steps that go beyond cybersecurity training. Implementing controls and having a proactive approach to security can take much of the question out of the hands of employees.
For instance, implementing controls that prohibit certain high-risk actions can help combat situations the Dell survey uncovered, such as the fact that:
Locking down functions like saving to an external drive or cloud can mitigate this risk, forcing employees to follow the company’s security policies.
Implementing security controls is best addressed based on use cases. Separating employees into use cases allows companies to implement the proper security protocols and controls based on the functions each group needs to perform. Committing to a more customized (rather than a one-size-fits-all) approach to security helps protect employee productivity while minimizing risk and the chance for data mishandling and mistakes.
You wouldn’t give every employee the company’s banking information, so why would you let all employees add attachments to emails if that’s not a necessary part of their job function? Identify high risk functions and disable them for any employee that doesn’t need that ability to perform their job. Think of security controls like the bumpers on a bowling lane. Employees know the goal is to get the ball down the center of the lane, but bumpers are just there to help make sure everything stays on course and in bounds.
Another security short-coming within many organizations is not adequately protecting data access.
If you leave confidential information accessible and open, you will eventually experience a data breach. End of story. Protect data whether it’s in the hands of a contractor or a thief who stole an employee’s laptop by making sure the data is always stored within a password protected application or – better yet – an isolated, secure virtual desktop environment. This allows account access to be revoked at any time and ensures data is never stored on the endpoint itself where it is vulnerable. (Virtual desktops also make it easier to manage user group controls since every desktop is based off a customizable golden image that allows security and control changes to be quickly and easily pushed to an entire workforce.)
While each organization is clearly different, companies should use Dell’s survey to honestly evaluate their culture and approach to data security. Whether you need more security education, or additional controls and solutions to help continuously guide employees (or both), taking a proactive approach that addresses may of the issues raised by the survey will result in a stronger organization – and less chance of an internally triggered data breach.
Take the time to read Dell’s entire 10 page survey, it includes many more statistics and insights that can help companies understand how to better address security.