Taking Responsibility for a Data Breach

Anti-Sexual Harassment Graffiti reading: No To...
Anti-Sexual Harassment Graffiti reading: No Touching allowed: Castration Awaits You (Photo credit: Wikipedia)

A data breach can cause both public
embarrassment and significant cost to the company involved, as well as
employee turmoil and time spent dealing with the incident internally.
This can similarly be compared with handling a sexual harassment
incident. Equally embarrassing and perhaps costly if handled wrong,
there is a follow up surge in both cases for training and awareness
given to the employees at large, hoping to prevent another incident.
The big difference between these
examples is individual blame and repercussions. There is training and retraining or best practices suggestions, but who is getting fired? Even if a company
didn’t fire the people responsible for the sexual harassment, they
would know who to watch for future mistakes and both sides would know
that a second lapse in judgement would be the final one. With a data
breach however, the parties involved may still be a mystery following
the incident and no one would know who to watch or even who to blame
when it happens again.
Government legislation forced
corporations to adjust their company policies and provide staff
training. The high cost of fines and loss of reputation made acting
responsibly no longer a choice. It is now common practice for most
companies to have a human resources department that ensures sexual
harassment behaviour and the punishment for it is written into the
corporate policy. Is enough training combined with clearly defined mandates and consequences being given to deal with network breaches and data loss?
While the corporation suffers a
financial loss and damaged reputation, the result of a company breach
can cause the company to lose on so many more levels: financial and
proprietary information loss, lost sales, damaged reputation, lost
trust from their customers and vendor-partners, the list just goes on
and on. So why is this not being handled by organizations with more
importance and aggression?
A security breach is usually attributed
to sloppy habits and an irresponsible attitude that leads to
behaviour that creates or allows a breach. It doesn’t matter what
people use as an excuse for sloppy habits it needs to be tidied up.
Right now the attitude of the average employee toward information
security is pure apathy. They don’t care and they have no reason to
care. They take no personal ownership over the data they handle for
the company so they feel no responsibility, and no one is ever
singled out for information security misconduct. People’s thinking
would change quickly if there were a red flashing light that went off
on their computer monitor, laptop or device when they specifically
broke corporate security rules.
Companies should be writing fines and
repercussions into corporate policy for incidents such as:
  • opening an email link or
    attachment that did not fit the proper profile
  • going to a forbidden or untrusted site
  • using a USB from an unknown source
Until we can track back data breaches
without fail to individuals that caused it with certain behaviour,
begin with deterring the behaviour that could cause the breach.
Touch that girl inappropriately? You’re fired. Two “red light”
incidents at your workspace? You’re fired. Organizations need a more
aggressive approach to security, because the whole company benefits
and the whole company suffers when reckless and indifferent
behaviour is ignored.
Related articles
Enhanced by Zemanta