Cybersecurity is no longer just an IT problem, it’s a business problem. Boardrooms are now requiring chief executives to execute and report on cybersecurity initiatives to ensure shareholders are protected in the event of a breach.
The problem is, most organizations attempt to solve their security issues by building large “walls” and “barriers” around the technology employees need to do their jobs effectively. Thus, security is becoming a tool that is making it harder for employees to succeed.
The Current State of Security
Everyday organizations are becoming more vulnerable to advanced security breachs. The state of security is alarming:
More data being generated – 44 trillion gigabytes by 2020.
Smarter, more sophisticated cyber criminals – Avg. APT 256 days before being detected.
Less good guys to stop them – 1.5 million shortfall in IT security personnel by 2019.
The problem is, organizations are taking a siloed approach in addressing security threats. IT departments are making investments in network security, data protection and intrusion prevention systems. While these steps are absolutely vital, orgs can’t afford to forget about what is most important – people!
People Are the Problem
At IBM, I always told my clients, “You can invest all the money in the world to build a large solid wall around your business, but the investment is wasted if you cannot monitor who has the keys to open the door.”
According to IBM’s President and CEO, Ginni Rometty, 60% of all data breaches are caused internally by employees, 99% of them are accidents.
It’s great to have the cyber wall built around your business, but if you don’t have a way of determining if an employee downloaded a corrupt application, opened a malicious email or visited a fraudulent website then your cyber wall could come crumbling down!
Access Is Everything
If you are an organization that has invested time and money building a cyber wall to secure your business, you are on the right track. This investment is essential. But, make sure your investment extends to the users that have the keys to open the door.
Three important questions to ask yourself to see if you’ve made the right investment.
Where does your sensitive data reside?
Who has access to it?
What are they doing with it?
As a board member or chief executive it is important to have a conversation with your IT team to determine, classify and prioritize what the critical systems are in your business. In other words, where and what is your sensitive data? Is it board deliberations, M&A acquisitions, customer databases etc.?
Once you have identified where your sensitive data lives both in and outside of your business, you now have to determine who has access to it. Be careful here! Many times organizations only focus on employees. Your IT team needs to know every user that has access, not just your employees. What stakeholders, vendors or suppliers have you granted access to your critical systems in the process of doing business? How are you monitoring their access and alerting when anomalies are detected? Controlling the keys is an easy way to allow employees to do their jobs without getting in the way. It’s the trust but verify model!
Finally, knowing who has access to what is an important step, but knowing what they are doing with the information they have access to is critical. This is an essential part to the trust but verify model. Organizations don’t have to have eyes on everything employees are doing, but they must monitor what they are doing with sensitive corporate data!
Understanding the trust but verify model is a necessary step in ensuring that cyber defense doesn’t become counterintuitive to corporate productivity. Letting people do their jobs generates revenue for your business. Understanding where your sensitive data is, who has access to it and what they are doing with it protects what is important to you!