Security Awareness Program (Lacking)
Security awareness programs (data security education) are drastically lacking in American corporations, and it is leading to an increase in data breach and workplace identity theft.
Look at these numbers about employee data security just released by the Ponemon Institute. They appeared in a post by the Ponemon Institute’s Founder, Larry Ponemon (the quote is theirs, the emphasis, mine):
According to our study, made possible through a sponsorship by secure USB flash drive developer IronKey, employees routinely engage in activities that put sensitive data at risk. They are downloading data onto unsecured mobile devices (61%), sharing passwords (47%), losing data-bearing devices (43%), and turning off their mobile devices’ security tools (21%). And, reflective of the blurring of the lines between personal and professional lives, they are using web-based personal email in the office (52%), downloading Internet software onto an employer’s devices (53%), and engaging in online social networking while in the workplace (31%).
I have seen anecdotal evidence of some of the same root causes in the trend towards ignoring data security and security awareness programs as the Ponemon Institue. Larry Ponemon’s summary of root causes rings true:
- Increased data portability leading to lack of control
- Technology outpacing education leading to a perpetual “catch up” cycle
- Bottom-line cost-saving pressure decimating data security education and security awareness programs.
A recent article in Forbes mentioned what I find to be an additional leading cause of security awareness program decreases: desensitization due to information overload. It is not just consumers that are being overloaded by breach notifications; corporations are being overloaded trying to patch holes in a technological dike with masking tape. In addition to trying to retro fit software that was never designed with much security in mind, they are unwilling to dip into their bottom line to buy some duct tape (or to repair the holes at the source).
Finding a solution to data security is not an easy solution, but education at the employee level (not the departmental level, not the executive level) is the beach head for this particular mission. Alas, security awareness program budgets have been cut even further than technology budgets, accelerating the problem. Of all the audiences I speak to, the healthiest companies and government agencies (including the D.O.D.) have actually increased their budgets for security awareness and education. And they initiate security awareness programs at the grass roots level: by training their employees to care about their own data security and incenting them to bring their good data privacy habits to work.
John Sileo lost his business and two years of his life to identity theft and data breach. Today he uses his gripping story, first-hand experiences and humorous interaction to inspire audiences around the world to protect corporate data. His clients include the Department of Defense, FDIC and Pfizer. To bring a security awareness program and John Sileo to your next conference or meeting, contact him on 800.258.8076.