Few people would argue with the assessment that chief information officers (CIOs) and chief information security officers (CISOs) have a lot to worry about – nowadays more than ever.
Specifically, the rise of bring-your-own device, cloud computing and mobility trends, the ever-increasing threat of cybercrime in the form of hackers and malware, and the need to safely collect, store and process big data are all significant concerns for these types of executives.
Although staff carelessness might not immediately come to mind as being on par with the caliber of the threats outlined above, 60 percent of IT professionals who took part in a recent survey by service provider SecureData see this as the biggest security concern for their firms, ahead of data theft (13 percent), external malware (10 percent) and technology failure (7 percent). Somewhat surprisingly, none of the 110 participants cited cloud computing as an issue, which may suggest that executives’ worries related to the safety of information stored in the cloud have been quelled by efforts to address C-level misconceptions about the solutions and safeguard the technology itself in recent months.
In terms of the types of employees seen as being particularly high-risk, members of operations teams were at the top of the list, with 40 percent of survey respondents pointing to them as a problem. Finance staff were the second most-commonly cited workers who posed a potential threat to corporate security.
How can IT executives go about mitigating employee risk?
“There’s a huge opportunity here for organizations to tighten security simply by better educating their staff,” said Etienne Greeff, CEO of SecureData, in a statement. “Don’t leap to technical answers and complex solutions. This is not about budget-busting new technologies, but going back to basics.”
Speaking to SC Magazine, Greeff elaborated on this idea of simplicity.
“Their focus should be on producing a simple and straightforward security policy that’s easy for employees across the organization to understand,” Greeff said, speaking of security professionals such as CIOs and CISOs. “Once a policy is in place, it is then the responsibility of the C-level to ensure this security message is hammered home internally.”
A total of 40 percent of respondents to the SecureData survey agreed with Greeff, identifying employee education as being the most important step when it came to improving security.
Establishing secure processes goes beyond policy implementation
Ultimately, it isn’t enough to simply launch a policy and expect employees to follow it. Unless members of staff see a compelling reason to go along with new protocols, they will likely be tempted to eschew the rules in favor of what’s familiar – and this is especially likely when the processes being introduced seem more time-consuming or laborious than those currently in place. This is where education comes into play.
“It’s having policy, making people aware of the policy, how to take care of data and being clear that there can be sanctions for being casual about policy – but also don’t leave it all to the employees, put technology in place to help them,” independent security expert Bob Tarzey, director of research firm Quocirca, told SC Magazine.
People learn by example, so it’s vital that senior management plays an active role in establishing and enforcing security guidelines and paradigms. Employees should emerge from education sessions with a clear understanding of what’s at stake if they fail to use the appropriate precautions when handling company data. This could mean anything from avoiding public Wi-Fi networks when checking corporate email on their phones to always making sure they encrypt sensitive information, but what’s most important is that they walk away with an understanding that they have a responsibility to engage in secure behavior.
“This leadership must come from the top, with the C-level stepping up to tackle the security knowledge gap in their organizations,” Greeff said.
It’s understandable that CIOs and CISOs might become so focused on safeguarding their firms against external threats that they forget about making sure their own employees are up to speed, but this approach could prove costly and should be adjusted forthwith.
About Caldwell Partners
Caldwell Partners is a leading international provider of executive search and has been for more than 40 years. As one of the world’s most trusted advisors in executive search, the firm has a sterling reputation built on successful searches for boards, chief and senior executives, and selected functional experts. With offices and partners across North America and in London, the firm takes pride in delivering an unmatched level of service and expertise to its clients.