I haven’t read the whole study yet, but I was intrigued when I came across a strategy+business blog post from earlier this month about recent research on the effectiveness of information security efforts at large U.S. firms. The study found that IT professionals assess the threats to their firms’ data security quite differently from their non-IT counterparts (both at the management and frontline-worker level).
The study found that almost 60 percent of IT and data security professionals see employees as the most likely source of accidental or intentional breaches. Being a part of the IT and audit community, it’s not news to me that employees are in fact one of the biggest security threats an organization faces.
What is interesting to me, however, is that according to this study, many non-IT managers still think that the biggest information security threats come from outside their organizations: 39 percent of non-IT managers named hackers as the biggest threat. (Only 4 percent of IT participants in the study agreed that hackers are the biggest threat.)
According to the study, the two most effective ways to prevent security breaches caused by employees are a loyal, engaged workforce and effective security training. I agree on both counts, but I’d add a third measure: incorporating information security into all aspects of a business, from strategic planning to day-to-day operations.
Here at Ventiv Technology, we approach information security as a company-wide responsibility; what that means in practice, among other things, is applying information security protocols to policies, procedures and processes that are often thought to be outside the scope of traditional information-technology department responsibilities. Here are two examples of what I mean by this:
- Ensuring that only authorized employees are able to access sensitive information like system administration, account management, HR, sales proposals, etc.).
- Ensuring that every employee knows to lock his or her computer screen when leaving the workstation, even if it’s only to pick up a document from the printer or get a cup of coffee.
We’re in good company when it comes to our attention to the three Ps—policies, processes and procedures. In March 2014, Ventiv attained certification of ISO 27001:2005 compliance by BSI Group, an independent provider of management systems assessment and certification. A major part of that certification focused on the three Ps—often to the minor annoyance of colleagues who wondered how, for example, ISO certification is related to keeping a workspace free of papers, locking down their computer screens whenever they leave their workstations, and securing other potentially sensitive information.
But as this study shows, information security spans the entire organization, even if it can be hard to see it from the perspective of the individual employee. So says almost 60 percent of information security professionals as well as the entire Ventiv Technology staff roster.
Natalie Bykova is manager of Ventiv Technology's IT Compliance program, based out of the Atlanta office. Contact Natalie at natalie.bykova@ventivtech.com.
