Research shows most security breaches are down to people inside the organisation. Workers say this needs to be addressed by HR policy and procedure as well as technology
New research shows that most employees see information security as an HR issue and want companies to develop better HR policies and practices to help safeguard private company data.
The research, by data loss prevention company Clearswift, gathered views from over 4,000 employees in the UK, USA, Germany and Australia.
Over three quarters, 76%, of UK employees said there should be a disciplinary process for people who leak sensitive business information. Whilst 70% said references for past employees or contractors should disclose whether they were involved in data breaches.
75% said they would not trust their company again if their private information were leaked.
Security is as much about training and dealing with people in and around the organisation, as it is about technical solutions. In a parallel survey of 500 security experts, 68% said training was the most important way to minimise risk.
This reflects the growing recognition that data breaches are largely down to people who have been granted access to the information they leak – whether deliberately or accidentally – and this must be addressed with policies as well as technology.
The research showed 71% of UK breaches come from people in the extended enterprise (employees 41%; ex-employees 9%, contractors 21%).
Technology is increasingly able to spot suspicious activity – e.g. an email containing credit card or patent details. Acting on this information requires informed people management based decisions. Jacqui Summons – Global HR Director, Clearswift says: “It will become the job of HR to make judgements about whether such activity is suspicious and take appropriate action, from sending a warning, to providing suitable training, to instigating full-scale investigations. HR therefore needs to be much more closely engaged with their company’s information.”
Summons adds: “The likes of the recent Ashley Madison breach seem to have come from someone on the inside. This shows that information security is not just an issue for the IT department, but one that needs the attention of the people tasked with hiring, incentivising, and creating a culture of trust within the workforce.”
“All of this blurs the lines between IT and HR departments – a trend that will only continue as the workforce works across different locations and devices, and contractors and short term employees move in and out of the company bringing their own devices and taking data with them. HR departments need to truly understand how their data moves around the organisations, the risks their workforce pose, and how technology is being implemented to increase security. Only then can better they properly manage those risks.”