Turn Your Users Around
by Tim Upton
It’s been a long time coming, but the mandatory breach notification laws will be in force in Australia next February (Privacy Amendment (Notifiable Data Breaches) Act 2017). Having seen similar regulations in effect in North America, and with the knowledge that they’re also coming to Europe next year in the form of the EU GDPR, it is impossible for any business to ignore the issue of data security. Organizational change is necessary across the globe.
I was recently in Australia, and the new legislation was a very hot topic in meetings with both existing partners and new customers, bringing up a multitude of questions. From a general perspective, it’s fantastic that more and more organizations are wising up to security (and there are countless surveys to back this up), but from our experience, most seem to be struggling with the myriad of different ways to protect their data and the persistent threat of breaches.
As a result, we’re seeing organizational security budgets continue to increase, which is an indication that things aren’t working. Teams are becoming overwhelmed, with most feeling like they’re not making any progress. They’ve tried a lot of things, but with limited to no success.
Historically, businesses have tried to solve their security problems by putting in point solutions or ‘black boxes’ as a hopeful miracle cure. But after many years, much expense, and with inadequate results, they are coming to realize that their people – the employees – are participants in most breaches, and therefore where action needs to be taken.
What’s important to remember about the new legislation is that it will bring a new level of scrutiny to an organization’s own internal mistakes. Human error (that accidental attachment, the sharing to personal email addresses, or the incorrect ‘Steve’ in an email) means that organizations will be forced to take a closer look at the finer details of everyday working life across their workforce.
So it’s time to try something just a little bit different, which is where TITUS comes in. Through the process of data classification, we go after the root of the problem – that is, the people. We turn the user around and make them part of the solution.
By prompting users to classify and assign value to the information they create, they are forced to become active participants in the protection and security of data. With TITUS solutions, organizations are happily shifting the responsibility of data protection down from a small group of information security professionals to the business units, content creators and content owners, because they’re the ones who are subject matter experts.
The objective is to bring about a security culture around information management that makes employees respectful and aware of the sensitivity of information they are handling. Getting the workforce involved in the discussion and holding them accountable has proven extremely effective to those who had been fighting the fight with limited success so far.
In addition to classification being a very visible and interactive way to enable a shift in accountability across an organization, classifying your unstructured data also has the effect of dramatically improving the effectiveness of other security technologies, such as data leak prevention (DLP) tools and encryption initiatives. By adding metadata (such as the security classification, the department that owns the data, or caveats about who should have access)to each file, any time that the data is saved, sent or shared, the metadata values are easily understood by the user or technology interacting with it.
While cultural change won’t happen overnight, our experience suggests that users rapidly embrace the empowerment they are provided to help identify and protect information. Classification is an indispensable foundation to data security. Like wearing a seatbelt, classification becomes so essential that users often feel insecure when they are asked to handle information without it. It is at this point when you know your users are inherently aware of data security, an attitude that is maintained in every action that involves sharing of data.
With a mobile workforce sharing data through a combination of platforms every single day, and with new legislation only shining a more intense spotlight on accuracy, it’s vital that businesses act now to strike a balance between sharing and protection to create a new security culture throughout their workforce.
|Tim Upton is a co-founder of TITUS and has an extensive background as a technology consultant in the security and large infrastructure spaces that helps inform company direction.|