Security breaches - it's the people, stupid
Jinfo Blog

By Tim Buckley Owen

Item

Talk of data security issues and we tend to assume that it’s IT professionals who are in the front line. But the challenges are as much behavioural as technological.

First, the good news: when it comes to deliberate security breaches with criminal intent, error seems to play a part in less than 1% of cases. According to Verizon’s 2011 Data Breach Security Report, hacking and malware are by far the greatest threats, followed by social attacks such as phishing or spam.

There also seems to be some comfort in the number of compromised records – down from 144 million in 2009 to 4 million in 2010. But this is illusory; the number of actual breaches is the largest to date, indicating that criminals are going more for small, opportunistic attacks.

Interestingly, only 3% of breaches were considered unavoidable without difficult or expensive corrective action. Which makes Frost & Sullivan’s 2011 Global Information Security Workforce Study all the more striking, because its focus is on the skills and training needs of information security professionals.

After application vulnerabilities, mobile devices represent their biggest security headache, with social media threats not far behind. But technology is only part of the story; security policies and user education are lagging too, and the report actually suggests that security professionals are resistant to adopting such new technological trends, even though they’re widely embraced by businesses and the average end user.

They’ll need to move on this, as a survey sponsored by the document collaboration software specialist Workshare indicates. 54% of United Kingdom IT heads have granted business users access to corporate documents via mobiles or tablets, or plan to within the next 12 months – but they’re clearly worried about safeguarding corporate documents and systems.

As Nancy Davis Kho makes clear in her recent LiveWire posting, employees are going to use such devices anyway if they can get an answer faster or more efficiently as a result. So managing user behaviour becomes crucial.

Writing recently in EContent magazine, Kelley Bligh shows that negligence and misunderstandings are the real culprits behind data loss, and quotes Thomas Logan of compliance software provider HiSoftware. You need to educate and inform people within an organisation about data security, he says – but before that you need a policy.

And not just for the electronic stuff. Commenting recently on a case involving two healthcare organisations, the UK’s privacy watchdog the Information Commissioner’s Office emphasised that paper records management processes needed to be just as robust as electronic data systems.

It would be pointless to suggest that IT staff will never have a handle on all this. But with such multi-layered challenges, it’s clear that info pros have their role to play too.

« Blog