It is hard to get away from media stories about accidental losses of personal or confidential data – Government laptops stolen from a car, secret council files found in a skip, and so on. The latest strand to this story is the revelation last night on the excellent Donal MacIntyre programme (BBC Radio 5 Live on Sunday 13 April) that a council childcare worker recently lost confidential information about a child under his protection after popping into a bar for a drink. Download the programme podcast here.
Recently I’ve come across a different but equally worrying trend – the deliberate bypassing of formal security procedures by employees in companies with established security regimes. Our research found that a staggering 68 percent of employees admitted to breaching security controls in order to do their jobs. Are these people, mad, bad or worse? Actually, the chances are that they are basically conscientious employees just trying to get their work done under trying circumstances. The greater culprit here is likely to be well intentioned but misguided managers, who are putting place unduly frustrating policies that strike the wrong balance between the security and availability of information.
Clearly, this points to a serious disconnect between the people who specify and police internal security systems, and the employees at the coalface who interface with them in their daily lives. If we are ever to make meaningful progress in the battle against identity theft and online fraud, there is a vital battle to be fought for the hearts and minds of staff.
Tomorrow we will publish a timely new insight into the state of data breaches worldwide and what organisations need to do about them. Data Breaches: Trends, Costs and Best Practices assesses the true state of today’s data breach environment; recognises the real, damaging trends that affect organisations and individuals; and identifies current and emerging best practices in controlling the risks and costs arising from inadequate data security. The report is aimed at executives, information security managers, risk managers, auditors, compliance managers, stakeholders and data controllers worldwide, i.e. it is for precisely the people who may be putting in place the policies that their employees are currently working around. If you or your organisation would benefit from reading this – and there are clearly many – you can find out more and purchase a copy here.