According to a recent Ponemon Institute study, the odds of an organization having a data breach are 1 in 4. The study also found that the average cost of a data breach is $3.62 million in 2017. That’s a drop of 10%, but the size of data breaches has increased.
The Human Problem
The vast majority of information security incidents and data breaches occur because of human mistakes. Information security is only in small part a technology problem; it is largely a human problem. The biggest risks to security are human errors — people putting data where it doesn’t belong, people not following policies, people losing portable electronic devices with data on them, people falling for phishing and social engineering schemes.
Having a robust technical cybersecurity infrastructure is very important, but it alone isn’t enough. A recent Harvard Business Review article by Dante Disparte and Chris Furlow reinforces this point quite well. “Firms can be lulled into a dangerous state of complacency by their defensive technologies, firewalls, and assurances of perfect cyber hygiene. The danger is in thinking that these risks can be perfectly ‘managed’ through some sort of comprehensive defense system. It’s better to assume your defenses will be breached and to train your people in what to do when that happens.”
The Human Answer
In addition to technology, effectively preventing and dealing with data breaches involves humans. The problem is the humans, but so is the answer.
According to the Ponemon study, there were significant data breach cost reductions for having an incident response team, extensively using encryption, and engaging in workforce training.
All of these things don’t merely happen by technological magic – they involve organizing humans, creating and following policies, and educating humans.
Vigilance
Humans are an organization’s best eyes and ears. Many potential breaches are spotted by people recognizing something unusual. People are on the front lines of the defense. By immediately reporting anything suspicious, people can help catch a breach before it becomes a catastrophe.
Awareness
Security is complicated because it essentially requires each employee to act with a high level of awareness and vigilance, a state that is hard to sustain. Over time, corners tend to get cut more, busy people tend to do more careless things, practices tend to become sloppy. That’s human nature. Complacency sets in. Being on one’s toes isn’t an easy state to maintain.
These problems are best addressed through training. Merely showing people a PowerPoint or putting them through a program that’s the equivalent to an airline safety video is a waste of time. People must be engaged. They must care. And the message must be repeated over and over and over. People aren’t robots, after all. They forget quickly.
I’ve seen many attempts at training that assumes that if you merely tell people what to do, they will do it. But we all know that’s not how humans work. Unlike robots, people need to be motivated, not just told.
Good security requires an awareness campaign. It’s about creating a culture of security awareness within an organization. Security awareness must be at the forefront of employee’s minds on a day-to-day basis. And that includes not just internal employees but the countless other companies that interact with an organization’s data.
From the Harvard Business Review piece: “When we say all employees have to be risk agile, we mean all. C-level executives, board directors, shareholders, and other senior leaders must not only invest in training for their firm’s own employees but also consider how to evaluate and inform the outsiders upon whom their businesses rely — contractors, consultants, and vendors in their supply chains.”
Good Practices
Encrypting data is something that requires thoughtful planning and implementation to execute. It must be done with humans in mind, as people will evade and not follow policies and procedures if they are too inconvenient. So policies and procedures should be set up not only with an eye to the technology, but also an eye to the humans. With the right level of ease and the right incentives, people will follow policies and procedures. But this won’t happen automatically.
Good Vendor Management
Vendor management is another area where humans play a huge role. People must vet, select, contract with, manage, and monitor vendors that receive personal data. Because so many breaches happen at the level of the vendors, good vendor management is of critical importance.
Incident Response Team
Incident response is another area where humans play a huge rule. As the Ponemon/IBM Security study reveals, having a good incident response team makes a huge difference in the cost of a breach. The effectiveness of the team depends upon having well-prepared people. This is a human issue, and effective response is much more than a paint-by-the-numbers exercise.
Human Answers Often Aren’t Costly
Dealing with the human issues often isn’t costly and has a huge ROI. Again from the HBR article, “The fact is, cybersecurity training is vastly undercapitalized, and the lack of investment in quality cyber education programs is manifest in the sheer volume of breaches that continue to be rooted in human failure.” The HBR article sums things up nicely: “To be clear, technology is a critical piece of the cybersecurity puzzle, but just as with a car containing all the latest safety technology, the best defense remains a well-trained driver.”
A Security Culture
Organizations that do the best with security do it through a series commitment to security, from the bottom to the top. This means that the CEO must be involved and engaged. It means that the Board of Directors must be making security a priority.
Things like these are the intangible human factors that are often difficult to measure and quantify. But they make a huge difference.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 4-7, 2017 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.
NEWSLETTER: Subscribe to Professor Solove’s free newsletter (2x per month).
TWITTER: Follow Professor Solove on Twitter.
