Surveying about data breach has always been a bit sketchy. No one wants to admit, even anonymously, they were breached. Data breach is embarrassing. And if word gets out it happened, costly, brand-wise, liability-wise, and otherwise. Ticking boxes on surveys about "the incident" makes the mouse of any executive twitch, lest the world perceive the company and brand as weak and untrustworthy in running its business. Even talking about it resurrects painful memories of the frantic and stress-laden discovery, panic, damage assessment, more panic, and costly remediation that occurred. Rapidly moving to denial after a well-concealed breach is Prozac for the corporate psyche.
Bill C-12 is meandering along at government speed and will require us to go public in almost every instance of the loss of anything more than name, address and phone number that we have on anyone else. I will address why I think this about C-12 in an upcoming post. But for now, sticking one's head in the sand in the event of a data loss is about as uncommon as filing your expenses late.
Late this summer my company, NPC, commissioned a study on information security by Angus Reid, the pre-eminent collector in Canada of facts, figures and people's opinions on all sorts of things. Most IT security studies focus on the types of breaches that occur, the technology involved or lack thereof, and the resulting impact. This study focused on the attitudes and behaviours of employees and business owners concerning information security that lead to data breach.
I think because of its focus on mainly attitudes and behaviours towards information security this study skirted some of the typical disclosure fear and captured some insights. It not only caught my attention with these insights, but wow, does it show a real disconnect between the fantasy of what businesses think they are doing and what is really happening when the boss isn't looking, and sometimes, by the boss himself.
BLOG CONTINUES AFTER SLIDESHOW
We surveyed 1,045 business people, well distributed across Canada, employees and owners, in virtually every industry segment. Less than 1 per cent were in companies greater than 500 people. On the surface, all sounds good.
- 83 per cent, both employees and the business owners said they were adequately protected from cybercrime and data loss
- 67 per cent of business owners said IT security is one of the most important components of their business, not just of the businesses' IT function, but of the business overall
- 87 per cent said they trust employees to adhere to their IT security rules and practices
- 95 per cent of employees believe practicing safe computing is an important part of their job
Well, here's the hitch.
In the same survey one in six employees admitted they do not adhere to IT security policies. They confessed they engage in a whole spectrum of safe computing no-nos from mismanaging passwords in ridiculously inappropriate ways (taped to the device itself or a password so weak a six-year-old could guess it) to copying company files to a personal USB stick (over 25 per cent do this). And for business owners, while we had the smarts not to ask them if they adhered to their own security policies, they did reveal their own poor attitude towards security in the specific activities they engaged in, sometimes in percentages that exceeded their own staff's behaviour (see ridiculous password activity above).
As a result, more than one business owner in seven said there had been an incident in their company where confidential information was put at risk from the loss or theft of a laptop, one out of every six said they have had a data breach due to employee negligence, and one out of 15 a breach due to employee maliciousness. One in 12 said they have already lost money due to a data breach. So why is there such a disconnect between what employees and business owners say is going on and what is really going on, even in the face of losses and embarrassment?
The first consideration is the speed with which we adopt and change technology, now incredibly powerful and compelling to use, and its complexity. It changes so fast and sprouts new capability so quickly it's just plain hard to keep up with securing the stuff. But mostly I think we have so little time most days to do anything but scramble, any extra steps beyond what we must do next just falls down the priority list. And the more security we apply, the more we tend not to make it simple. In this frenetic, hyper-competitive age of 24/7, when something isn't fast and easy, we work around it.
While we know information security measures need to be as complex, effective and persistent as the virtual attacks that threaten us, it also has to become near-transparent to the user. Our electronic technology requires way too much effort on our part to secure and protect. I sometimes wish Steve Jobs was around to fix this. I can just imagine the depth and simplicity of what he would have drove his engineers to create. But in fact his legacy in the security department isn't stellar. One company that has had it right is RIM, but they fell behind in the design department. Here's hoping they catch up with Blackberry 10 and have remembered their brilliant history of making device security powerful yet so simple it gets used.
The NPC study showed that adopting technology with security controls, bolting it on later, or relying on policy and education is a senseless game if no one can easily adhere to the requirements. Transparency and simplicity is the key.