On any given day there are seminars, webinars, and other talks about security’s role in protecting an enterprise’s information. Each one I attend seems to focus on how technology can save the day, but I suggest that technology cannot be the entire answer.
Sources of data breaches
According to the 2013 Cost of Data Breach Study: United States from the Ponemon Institute, 33% of data breaches were the result of human error. From misuse of IT systems to not complying with organizational standards and procedures there is only a limited amount that technology can do to prevent these incidents.
Ponemon attributed an additional 26% of data breaches to system glitches. While some of these include IT failures, manual process failures also fall into this category.
Another good source of information is Chronology of Data Breaches found on the Privacy Rights Clearinghouse web site. Thus far in 2014 there have been 73 data breaches reported in this source. Of these breaches 21, or 29%, are categorized as lost, discarded or stolen non-electronic records.
…and then there are vendors and contractors
The discussions on security also seem to focus on what a company can do to protect information within its own network. There is the case, of course, of potential data loss by others to whom you have entrusted the information, your contractors and vendors. Although you have passed the information on to other entities, your organization remains responsible to ensure that it is properly protected.
Often audit rights for security and privacy policies are part of contractual clauses. When you consider the number of vendors and contractors an organization employs, it is no wonder that these rights are infrequently exercised.
What should an organization do?
Protecting information ultimately comes down to the behavior of and decisions made by your individual contributors and those of your vendors and contractors. Establishing a training and awareness program that includes all of these audiences is a good initial step. Implementing an active oversight and compliance regimen, with consequences for non-compliance, is another vital step in your protection strategy.
Organizations frequently spend proportionately large amounts to implement technology to protect information. Relying solely on these protections without considering potential human errors within your organization or with your vendors and contractors is simply putting your organization at risk.