GDPR makes employee data security education essential

February 9th, 2018


by Doug Snow

The compliance regulation du jour is the EU’s General Data Protection Regulation (GDPR). But many companies aren’t ready for the May 25th deadline and many don’t even know they need to pay attention. Of course, knowing whether your organization is subject to GDPR is only the beginning. You have to take steps to ensure you comply.

As more and more compliance regulations come into effect, it’s creating a lot of work for businesses as they shift, evolve or completely overhaul business processes and deploy tools to meet the requirements. The effort is worth it, though: This is an opportunity to show your customers how committed you are to building a solid relationship of trust – starting with protecting their data. And you can avoid massive fines at the same time.

Of course, no tool or process will ever be effective if people aren’t on board. A security education program can help you build that solid foundation with people to encourage shared ownership of data security across your organization. That classic annual security training video everyone watches for half an hour (to pass a quiz that proves they recalled the information for five minutes) is no longer enough.

Every employee in the world signs an employment agreement that obligates them to follow corporate information handling policies. Even an accidental leak/disclosure can result in termination of employment but what tools do we give them to be compliant?

Today, the consequences are far-reaching, and people have long memories (and search engines). The fines levied and goodwill lost can lead to the failure of the business and countless lost jobs. That’s why it’s imperative to help employees be part of the solution.

So, how do you get people to use effective, secure data handling practices? Here are three ways you can focus your efforts to build a program that will win them over.

1) Build awareness of the data and data protection policies of the organization

This doesn’t mean you need to give everyone an in-depth overview of GDPR or any other compliance legislation. Instead, they need to know the kinds of data that need to be protected across the organization – even when it’s not part of their job.

As they learn about the types of data, they need to know what level of sensitivity should be applied and why. When people understand the policies and reasoning, it’s easier to make decisions about what to do with the data their handling.

The education shouldn’t end as people leave the training, though. You’ll want to keep promoting awareness in various ways:

  • Posters with reminders throughout your facilities
  • Ongoing training sessions to keep people sharp
  • Sharing stories about how people are mindful of security

Without a foundation of awareness, people won’t be able to take the next step of being mindful of information sensitivity as they go about their day-to-day work.

2) Encourage mindfulness about data security

When awareness resonates in a lasting way, it can lead to a more intentional focus on protecting the data they’re handling. With GDPR looming, that’s an important goal! Your organization will benefit from people who go through their workday mindful of data that’s being passed around. They become your first line of defense against data breaches.

Your awareness efforts can help bolster mindfulness by providing reminders to consider the sensitivity of data.

Having mindful people makes the use of technology for data protection more effective. Introducing tools that apply markings and trigger data protection policies can serve as one more way to build mindfulness right into the workflow. When every document has the sensitivity level clearly marked, it’s easier for employees to see at a glance how the material should be handled.

The technology takes this a step further by preventing inadvertent data breaches, disclosures or losses by blocking the most sensitive documents from being sent to unauthorized recipients.

How many times have you been rushing to the next meeting or trying to leave at the end of the day? You fire off an email and realize it went to the wrong person or group right after you hit send. There’s no calling it back, so having a tool that prevents those errors is invaluable.

3) Empower people to take appropriate action and be accountable

Knowledge is power. Putting knowledge into action reinforces what they’ve learned. When there’s only a handful of people in your entire organization who have the responsibility to train, monitor, audit, and maintain all data security efforts, they’ll be more successful if they can build an army of champions for good data security practices.

When awareness and mindfulness lead to reputation-saving preventative action, reward those instances and share the stories to continue the cycle.

Education is key to building a culture of security

The result of all this work is a culture of security where security mindfulness is the status quo of your organization. And when you have the whole company working together to protect sensitive data across your organization, it doesn’t matter what the next data protection regulation is – your entire organization will be ready, willing and able to meet it head on together.

Doug Snow is vice president, Customer Success at TITUS, where his 30 years of IT industry experience and project management expertise make him ideal to lead the team that ensures our customers’ needs are taken care of every step of the way.

 

Protect private data by building a culture of security

January 25th, 2018

By Steph Charbonneau

This Sunday, January 28th is Data Privacy Day. The recognition of this day by governments and other organizations has been a reason for people and businesses to talk about data privacy and security. But first, we have to talk about what those words mean.

What is data privacy?

Countries around the world have passed legislation acknowledging that individuals have a right to privacy, meaning we should have the ability to control when and to whom access is given to our personal information. This type of legislation is more important than ever as technological advances have increased the amount of data we share.

Why should businesses care about data privacy?

Because it’s good for business. After all, we need consumers to trust us. Today’s businesses and many other organizations rely on data assets to support, sustain and fuel operations. When you look at the large-scale data breaches that have made the news, it’s clear that organizations have to step it up when it comes to protecting the data that keeps them going.

It’s easy and even instinctual to try to fix breaches by building a technological fortress, but that’s not a true long-term solution. Technology is only as strong as the weakest user password or passcode on a lost device. And let’s not forget the surge of shadow IT that circumvents the fortress. The connected nature of our world combined with the human nature of people means technology is an incomplete solution.

Organizations need to build a culture of security

When you actively seek to make security a part of the culture in your organization, you make education, awareness, and accountability an integral part of day-to-day work. It becomes habitual to look for and notify management about vulnerabilities.

  • The door that doesn’t quite close all the way
  • Visitors being admitted without signing in
  • Confidential information left in public areas
  • Badges branded with the company logo
  • Laptops not secured to desks

These examples don’t necessarily relate to technology but ensuring the protection of data means addressing every access point – both physical and virtual.

How do you build a culture of security?

The responsibility for security can’t be shouldered by one person or even one department. And changing culture and behaviors isn’t easy, but the investment will pay off in protecting your business and the data you collect and generate. Here are some steps you can take to get started.

1) Educate employees about data

The security policy new hires sign during orientation isn’t enough. Make ongoing education about data and data handling a priority. People need to understand what data is sensitive so they know to take appropriate steps to protect it. But you can’t guarantee that people will just know your policies and practices. Only when people know how to identify and handle data appropriately can they be accountable for doing so.

2) Promote ongoing awareness

Establishing a shared responsibility for security only works when people are aware. Make awareness an ongoing effort. Hang posters that grab attention and share tips. Send emails with stories and examples of people raising concerns. Make it a community effort and encourage peer recognition. Get help from security advocates or champions who speak up and help the cause.

3) Use technology to enhance and enable security

A tight culture of security is the first and best line of defense against data breaches. But mistakes happen and vulnerabilities get exposed. Providing tools that help users identify the type of data they’re using so they use, share, store, and dispose of it appropriately makes it easier to prevent and/or contain breaches. These tools are like a seatbelt for your data: Once you’re in the habit of using them, you don’t feel as safe handling data without them.

Data privacy is an ongoing concern

The conversations about data that start around Data Privacy Day each year are important to have, but just like the ongoing effort of building a culture of security, we have to keep the conversation going throughout the year.

Steph Charbonneau is one of the founders and chief technology officer for TITUS. His background as an IT security architect helps bridge the gap between customer requirements and TITUS products.

 

Honoring Those Who Serve and Sacrifice

November 10th, 2017

I’m moving too fast. We probably all are.

As the weather begins to cool, I realize that the day we honor soldiers who have served faithfully and dutifully is nearly here. And then I wonder if I’ve taken enough time to reflect. To show my appreciation. Have I – at the very least – donated enough money to veterans associations to help ensure that our veterans and their families are properly supported when they need it?

The answer is usually, embarrassingly, no.


Read the rest of this entry »

 

“Keep This Between Us” and Other Classifications

October 12th, 2017

The recent data breach at Equifax was apparently the result of a failure to apply a software patch that was made available several months ago. I’m not writing this blog to continue piling on the situation and bash the information security team while they’re down. What I do want to focus on is the need for immediate action. In the world of data security, five months is an eternity.

What we believe here at TITUS (along with many others in the industry) is that most breaches can be avoided if we change how users – you, me, and all our colleagues – think about data. We need to adjust the user’s mindset and bring the thought of security into the daily routine.


Read the rest of this entry »

 

CUI Compliance – What You Need To Know (Part 2)

October 6th, 2017

Established by Executive Order 13556, the Controlled Unclassified Information (CUI) program defines a uniform policy for the treatment of unclassified information that requires safeguarding or dissemination controls. As of December 31, 2017, all federal contracts will require contractors to comply with the Federal CUI Rule (32 CFR Part 2002) that governs the treatment of CUI.

In the second installment of this two-part blog series, Patricia Hammar, founder of PKH Enterprises and a recognized expert in the areas of government policy and privacy, answers some additional questions on Controlled Unclassified Information (CUI) compliance.

Read the rest of this entry »

 

CUI Compliance – What You Need To Know

October 2nd, 2017

Established by Executive Order 13556, the Controlled Unclassified Information (CUI) program defines a uniform policy for the treatment of unclassified information that requires safeguarding or dissemination controls. This framework standardizes practices around the sharing of controlled unclassified information, with the goal of improving the sharing of information across Federal executive branch agencies.

In this two-part blog series, Patricia Hammar, founder of PKH Enterprises and a recognized expert in the areas of government policy and privacy, answers some key questions on CUI compliance.

  Read the rest of this entry »

 

TITUS Brings Message of Importance of a Strong Information Security Culture to Key International Events this Fall

September 11th, 2017

Summer is not over…summer is not over… Ugh, fine – summer is over… And without missing a beat, the TITUS team is out on the road for what is going to be an incredibly busy fall – jam packed with events, roadshows and speaking engagements.  We will be attending and speaking at a number of key security events worldwide in the coming months – highlighting the importance of creating and maintaining a culture of security for effective information protection.


Read the rest of this entry »

 

TITUS and Palo Alto Networks

June 20th, 2017

We at TITUS are excited about our new partnership with Palo Alto Networks and the value we will bring to organizations together.  Recognized as a leader in the Next-Generation Firewall market, Palo Alto Networks and TITUS integrate to enable secure sharing of sensitive information throughout the enterprise. Once a document has been classified by TITUS, Palo Alto Networks firewall can leverage our classification metadata to prevent data loss across email, the data center, and on insecure systems/managed devices.

For more information about the integration, visit the integration page on our website, and read our joint solution brief that further describes the integration value.

 

 

The First Step Toward GDPR Compliance

May 11th, 2017

Last week my colleague Mark Cassetta described how data categorization could be used as a means to simplify information classification and protection. This week I would like to expand on this concept to show how categorization can be put into practice. The European General Data Protection Regulation (GDPR) only 12 months away. Yet, only 10 percent of organizations impacted by the GDPR report that they are “completely ready” to comply with the regulation (Osterman Research), it seems like this would be a great example for highlighting the use of categorization.

The key goal of the GDPR is to ensure that any organization that controls or processes sensitive personal information about EU residents also properly protects the data. In fact, organizations must show that data protection is a fundamental design aspect to their data workflow and processes.

So, where does an organization start?


Read the rest of this entry »

 

Data Categorization or Data Classification?

May 3rd, 2017

In the last few years there has been a dramatic shift from data classification being “nice to have” to becoming a “need to have”. Behind this momentum, private companies and organizations are implementing data classification using “traditional” taxonomies and schemas that worked for governments and militaries, but don’t necessarily translate well into the workflow or culture of commercial enterprises.

When TITUS started over a decade ago, many of our first customers were large government and military organizations who were familiar with the concept of classification. We all  remember the “secret” and “top secret” rubber stamp with red ink used to classify paper documents and files before the dawn of digital productivity tools. As a result, when government and military customers began to deploy classification, their users were already well educated on the meanings and appropriate use of their classification taxonomies. As classification has moved into commercial enterprises, the template for classification has remained unchanged. As a result, many enterprises have struggled to find a way to align classification labels and policies to meet their own unique needs.


Read the rest of this entry »