The eve of the annual RSA conference is always a time of reflection as thousands of cybersecurity professionals gather together at one of the oldest and largest conferences dedicated to cybersecurity. The single question that always comes up at this event is to what degree are cybersecurity professionals making an actual difference within their organizations?
This issue keeps coming up because there’s no such thing as perfect security. A recent survey of 1,000 cybersecurity professionals conducted by Egress, a provider of a data loss prevention service, finds a staggering 83 percent of respondents believe employees have accidentally exposed customer or business sensitive data at their organization.No matter how much malware is prevented from infecting the system, end users are always going find some new way to screw things up. ~Mike VizardClick To Tweet
The top five means through which that sensitive data was inadvertently shared are ranked as:
- External email services (Gmail, Yahoo!, etc.) (51%)
- Corporate email (46%)
- File sharing services (FTP sites, etc.) (40%)
- Collaboration Tools (Slack, Dropbox, etc.) (38%)
- SMS / Messaging Apps (G-Chat, WhatsApp, etc.) (35%)
The survey also notes that 79 percent of respondents said their organizations share sensitive business data internally without encrypting it, while 64 percent share sensitive business data externally without encrypting it. The primary reason organizations don’t encrypt all data by default is the cost and overhead associated with managing all the keys that are required to encrypt and decrypt data. On top of that, most organizations are not especially good at protecting credentials, so when passwords get compromised it often turns out that intruders still gained access to encrypted data.'End users that understand the true value of data in human terms are going to be a lot more careful with the data because they will think of caring for that data as a sacred trust.' ~ Mike VizardClick To Tweet
Given those dynamics, it’s always going to be next to impossible for cybersecurity professionals to ever feel 100 percent successful. No matter how much malware is prevented from infecting the system, end users are always going find some new way to screw things up. Most end users are still blissfully ignorant when it comes to the best cybersecurity policies and procedures. They still complain vociferously any time a cybersecurity safeguard makes it more difficult for them to accomplish a task. Cybersecurity professionals naturally get tired of being blamed for getting in the way of personal productivity. End users have been informed of the risks, and yet still decide to share sensitive data over public email systems. Cybersecurity professionals can only do so much.
The real conversation cybersecurity professionals need to be having is with the business leaders of their respective organizations. Those leaders need to clearly understand that being the custodian of sensitive data comes with inherent responsibilities. First and foremost, business leaders need to make sure the people they hire understand that caring for the data is not an inconvenience or burden. Rather, it’s a responsibility and obligation to the individuals that trusted their organization with data in the first place. The data doesn’t just belong to the company. It belongs to their fellow human beings. Appreciating the fact data represents a lot more than a collection of numbers and words won’t necessarily prevent breaches from occurring. But end users that understand the true value of data in human terms are going to be a lot more careful with the data because they will think of caring for that data as a sacred trust.
Unfortunately, most end users still don’t really grasp just how much damage can be inflicted when sensitive data gets compromised. They are all aware they might get in trouble and the company could be fined. But what most of them don’t really get is the human cost. Every time data gets compromised there is a person out there experiencing pain that is being inflicted because someone was careless with their data. Cybersecurity professionals could be doing themselves and the organizations they work for a huge favor by conducting training classes that simply focus on all the ways sensitive data is employed to inflict real harm. Once informed of those consequences, most end users will take a lot better care of the data they have been entrusted to protect. Cybersecurity professionals tend to assume everybody intuitively already understands the inherent value of data. The truth of the matter, however, is their collective zeal to accomplish some task as quickly as possible it’s easy to forget what that data real represents.
Of course, if the business leaders don’t appreciate the real value of the data the organization collects, the rest of the conversation is a non-starter. But at the very least, cybersecurity professionals can take some comfort in the fact that at the very least they really did try to make a real difference.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.