Let’s start with a tired metaphor: "Storing crown jewels outside of castle walls."
So, if Information Security is like medieval Europe, then companies are the feudal lords who spend their money building really strong walls to keep enemies at bay. They spend the rest of their money paying soldiers to patrol the walls, detect enemy infiltration and alert the city to danger.
The scandal, to continue with the medieval metaphor, is that employees are peasants who take the feudal lord’s treasure and store it in their homes, outside the big strong walls and beyond the protective gaze of the lord’s security forces.
Enough with the metaphors. In plain English: the unnerving reality of modern data breaches is that people are the problem.
Paper Based Identity Theft
When I started my career in ECM, electronic statements and paper suppression were big discussion points. The very attractive ROI (which still exists since most paper suppression efforts have been pretty dismal to date) was tempered by financial services organizations' concerns about the risk of identity theft if customer information was being stored “online.”
But the data revealed a surprise: most incidents of identity theft were happening because the client received a paper statement. Why? Because most identity theft happened between people who knew each other. A relative or neighbor could easily steal a bank statement and run wild with the personal information. And a lot of identity theft went un-prosecuted because parents and grandparents rarely prosecuted their own progeny for the crime.
Fear, Uncertainty, Doubt and Lots of Money
Security breaches receive enormous public attention these days. The 2015 Data Breach Investigation Report claimed that the New York Times has written 700 plus articles on data breaches in 2014, a deliberate shift from just 125 in previous years. Major brands and hundreds of thousands of consumers have been victimized. While consumers have been fairly well insulated from the financial impacts of these attacks, according to the "2015 Cost of Data Breach Study: Global Analysis" the “cost of data breaches due to malicious or criminal attacks increased from an average of $159 in last year’s study to $170 per record.”
Large organizations like Chase Bank have responded to breaches by spending millions on new software and staff. The 2015 Cost of Data Breach Study states it now has 1,000 people on its cyber security team. Relatively new organizations like FireEye have sprung up and gained popularity due to its involvement in high profile cases. (If you haven’t looked at its Cyber Threat map you should take a minute and check it out here.)
People Are the Problem
And yet Experian has reported, “Between human error and malicious insiders, time has shown us the majority of data breaches originate inside company walls. Employees and negligence are the leading cause of security incidents but remain the least reported issue. According to industry research, this represented 59 percent of security incidents in the last year.” And it predicts that the trend will continue in 2016.
The 2015 Data Breach Investigation Report mentioned earlier provide a summary of the ten major categories for data breaches in 2014:
It summarizes: “It may not be obvious at first glance, but the common denominator across the top four patterns — accounting for nearly 90 percent of all incidents — is people. Whether it’s goofing up, getting infected, behaving badly or losing stuff, most incidents fall in the PEBKAC and ID-10T über-patterns. At this point, take your index finger, place it on your chest, and repeat 'I am the problem,' as long as it takes to believe it. Good — the first step to recovery is admitting the problem.”
And lest the small and medium business think that they are immune to these issues, consider the work done by TowerGate Insurance.
(The complete TowerGate infographic can be viewed here)
Heroes are the Problem
The problem is not that most employees are “Bad Actors” to use a cyber-security term. And it isn’t an issue of being trained or not. We ran into this conversation with a Chief Legal Counsel at a global manufacturer. He wanted to know why employees were deliberately flouting stated protocols and raising his risk profile. One staff member replied, “Because this company is full of people who don’t have the tools they need to get their job that way. We have a company full of people making heroic efforts to just get the work done.”
So the sales manager who goes above and beyond to email his client data on the weekend instead of waiting until Monday — when he can load it onto an FTP site for secure transfer — is exposing PII. The analyst who pulls a report to help a friend working an 80 hour week who won’t make their deadline if they have to wait for IT to provision their access rights. The corporate secretary who needs to supply confidential information to the board at the last minute but has no distribution method besides the SharePoint site.
These folks are all corporate heroes. And they are all part of the problem.
It comes down to this: in the trenches of day to day work, when an employee needs to decide if he will get his job done or if he will follow a security protocol, he will choose to get his job done. But, returning to our metaphor, his acts of bravery are often putting the crown jewels outside of the castle walls.
Adding good information management to the cyber-security focus of many organizations can help reduce exposure to data breaches. Here's how that would look at the strategy level, the policy level and the application level:
1. Information Management Strategies Must Prioritize the Destruction of Expired Content
Organizations must prioritize the destruction of content according to a defensible strategy. Much has been written on this topic. But the connection to data loss is so intimate it is scandalous. When you consider the amount of information that currently resides in your shared drives, email and other shadow systems throughout your organization, you should be on the verge of despair.
We have worked repeatedly on projects where IT tells us that their PHI and PII information is all in the appropriate managed repository. I have yet to analyze an organization that did not have PHI or PII exposure in an unmanaged repository. Getting serious about deleting expired information will reduce this risk.
2. Creating Policy to Restrict Access to Cloud Services Will Backfire
Organizations that have set a policy to restrict corporate data behind their firewall have de facto forced employees to create shadow IT functions so that they can work from home or on the road or so that they can collaborate with external parties. It's a natural tendency for risk adverse organizations to pursue this course of action based on the false perception that cloud equals “less secure.” Unfortunately, these organizations only increase their risk of exposing corporate or client data.
3. Build Information Management Applications with Purpose
Too long information management tools for general purpose use (think SharePoint) have been treated like Microsoft Office. In reality, business users require a solution with more design and forethought. If the information management experience is designed with a limited number of high level use cases in mind it will provide the twin benefits of engaging end-users and providing common functionality like secure file sharing, digital rights management, etc. which will improve information security.
As always, thanks for reading. I look forward to your feedback in the comments and on Twitter.