The definition of human error is “a mistake made by a person rather than being caused by a poorly designed process or the malfunctioning of a machine such as a computer.” A simple, often unintentional, lapse in judgement can have detrimental repercussions and it's no surprise that an organization's workforce is the weakest link. Yet, you can't just dismiss people wholesale for every mistake. So how can organizations protect themselves from human error?
Human error continues to be the primary cause of information technology (IT) security breaches. And primarily the reason why security processes fail is that individuals are given the option to bypass them. If you take PA Consulting's loss of a memory stick containing personal data on every one of the 84,000 prisoners in England and Wales as an example, a single employee was in breach of its well-established information security processes. I'm sure he, or she, did not set out to intentionally destroy the reputation PA had built itself for handling sensitive government information securely for over 60 years, or to lose the contract, and potentially jeopardise the remaining contracts, yet that's been the result. The salary of the individual involved has not been disclosed, but even a lifetime of hard work for free would never repay this deficit! In the individual's defence, although ingenuousness is a fair charge, the fact remains that they were allowed to bypass the encryption software that would have saved PA its troubles. So, in this case who really was the weakest link?
Who to blame
Let's face it, anyone can make a mistake – the person who leaves a USB drive containing the latest (but not launched) advertising campaign behind at the coffee shop, the employee who forgets to lock their computer before going to lunch, leaving sensitive data accessible, the commuter who, being efficient, uses their smartphone to review corporate documents on the train and then leaves it behind in the mad rush to the door – everyone can have a momentary loss in concentration. But it's the cost of the mistake that's the differential. So, rather than pointing the finger of blame after the fact, organizations must identify the potential risks and employ damage limitation tactics.
IT departments should never leave data security up to the end user, they don't have the time or the knowledge, and it certainly wouldn't be considered “reasonable and appropriate” (the underlying theme of data security regulation) if the device, and the data contained, was lost or stolen.
Likewise, everyone within an organization must understand their responsibility for keeping sensitive information secure and how to use the available technology, such as encryption software, to do so. Often if people understand why they need to do something, then they'll do it – the PA Consulting employee learned this lesson the hard way.
What to do
To ensure data protection in today's dynamic IT environment, leading analysts recommend that security protects what matters most: the data, not necessarily the device. Concerned about the damage and liabilities of lost and stolen data, enterprises are turning to encryption as a backstop to prevent corporate and customer information from ending up in the wrong hands.
Organizations need an intelligent, multilayered approach to encryption that automatically safeguards data without complicating essential IT and user operations – no back door, for instance. A data-centric solution simultaneously meets security, IT operations and compliance needs. Encryption can take place whether data is on a desktop, laptop, PDA, or USB stick and it's granular, so administrators can set policies to determine which data is protected and against whom. A data-centric solution uniquely protects individual users' data, without interfering with the other operational processes (upgrades, patches, etc) that need to be done; it protects against the internal threat and provides lower TCO.
Corporate governance requires organizations to not only have security, but be able to prove it is effective. When a device is lost or stolen, then the company has to decide if a “breach notification” must be issued, along with all the expense and embarrassment that goes with it. However, if there is a reasonable belief that the data was encrypted – and can be proved – then the affected individuals whose information has been lost do not necessarily need to be informed (depending on the jurisdiction). By using a solution that includes a central management console, every machine that is protected reports back to say that it has received the latest instruction and confirms that it has been carried out, keeping all the proof centrally.
Every day employees are taking advantage of the latest must-have gadget, even using personal devices in addition to company owned technology, to keep in touch when out of the office. Any organization that not only embraces this trend, but actively encourages it, has a responsibility to empower its employees to do so securely.