Humans: A Data Security Strategy’s Worst Enemy

By Brad Thies

Every organization requires some form of management; otherwise, it would be called a disorganization and business success would be elusive at best. It’s management’s job to establish roles and responsibilities for employees—especially when it comes to information security.

Sixty percent of hackers can breach an organization’s system defenses within minutes. Risks and security incidents used to be managed on a case-by-case basis, but that’s no longer a viable option. The number of security incidents increased by 48 percent from 2013 to 2014, and notable companies including Adobe, eBay, Target, and The Home Depot were among the victims.

But data breaches don’t affect only big-name brands; small businesses are also at risk. It’s time to wake up to the dangers of losing control of your data and to craft a plan around your most vulnerable asset: your people.

Security Tip: Stop Ignoring the Human Element

No matter what you use to secure your sensitive information, you must consider how your employees play into this equation. According to David Anderson, a senior information security consultant at CliftonLarsonAllen, hackers get into a system through a legitimate user’s access 60 percent of the time.

Training your employees to create strong passwords and to securely share information is critical. Small business owners must address any weaknesses among their employees. But the question remains; how can you hold your employees accountable for information security if you haven’t defined their responsibilities? The answer is simple; you can’t.

Small business security and human error

Define Data Security Roles and Responsibilities

Without clear definitions of who is supposed to do what, teams tend to waste energy negotiating instead of accomplishing. The best way to effectively implement strategies is to ensure that each individual understands what he or she is responsible for. Employees with well-defined roles are able to implement technology to create an effective security program.

But first, you must plan an approach to information security. Ensure that you have the appropriate managers and overseers in place. Then assess the risks, and identify hierarchical solutions. Once you’re ready to move forward with the plan, begin by establishing the individual responsibilities that the policy requires.

Be sure to involve the following players in the conversation:

  1. The security committee reviews your organization’s security management plan and policies and provides leadership, guidance, and oversight over security programs.
  2. Management appoints a qualified security office (or its equivalent for smaller organizations). It also establishes, reviews, and approves your information security policy; communicates the policy to all parties; and maintains the program.
  3. The chief information officer handles the administration of the security office and maintains overall authority for information security controls.
  4. The chief information security officer assigns resources to assist with the coordination, development, implementation, and monitoring of the information security program.
  5. IT management is responsible for the data processing infrastructure and computing network. It develops, deploys, and maintains an information security architecture that provides the range of security controls required based on the information’s confidentiality, integrity, and availability.
  6. Data owners classify information within their jurisdiction by reviewing its value and sensitivity, as well as by assessing the consequences of losing, compromising, or recovering it. They also determine the types of privileges that should be granted and conduct reviews of access rights.
  7. Users must comply with your organization’s employee handbook, only access the information they’re authorized to see, and ensure that they do not disclose or share login credentials and passwords.

Clearly defined roles and responsibilities are important in every company. But where data security is concerned, it’s absolutely vital that employees understand the scope of their required tasks. All the security experts and resources in the world can’t secure your assets if you overlook the human element.

Brad Thies is principal at Barr Assurance & Advisory Inc., a risk consulting and compliance firm. He is a certified public accountant and a certified information system auditor with more than 10 years of industry experience.

Do you have a comment or question about this article or other small business topics in general? Speak out in the Forums. Join the discussion today!
Small Business Computing Staff
Small Business Computing Staff
Small Business Computing addresses the technology needs of small businesses, which are defined as businesses with fewer than 500 employees and/or less than $7 million in annual sales.

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.