By John Sileo, [cc id=’csid’] consumer security expert
Everybody wants your data. Why? Because it’s profitable, it’s relatively easy to access and the resulting crime is almost impossible to trace.
Take, for example, the 100+ million customer records have been breached in the past months. Sony PlayStation Network, Citigroup, Epsilon, RSA, Lockheed have faced billions in recovery and reputation damage costs.
To minimize recovery costs, you must minimize risk and secure your business data. Take the following steps in this three-part series and you’ll be well on your way.
1. Start with the humans.
Companies often only approach data privacy from the perspective of the company. This is a costly data security mistake, as it ignores a crucial reality: All privacy is personal. You employees will only care about data security or property protection when they understand their direct involvement.
Start with the personal and expand into the professional. Give your employees the tools to protect themselves personally from identity theft. In addition to showing them that you care, you are developing a privacy language and framework that can be easily adapted to business. Once your employees understand the security framework from a personal standpoint, it’s a short leap to apply that to your business security.
2. Immunize against social engineering.
The root cause of most data loss is not based on technology; it is based on human beings who make costly miscalculations out of fear, confusion, bribery and a sense of urgency. Data thieves can manipulate information out of your employees by pushing these buttons.
Immunize your workforce against such social engineering. Train them to do the following when asked for information:
- Utilize professional skepticism. Automatically assume that the requestor is a spy of some sort.
- Take control of the situation. If you didn’t initiate the transfer of information, stop and think before you share.
- Expose fraud. During this moment of hesitation, ask a series of aggressive questions aimed at exposing fraud.
When doing this type of training, whether it is for the Department of Defense, a Fortune 50 or a small business, try making a game out of it—make it interesting, interactive and fun, as that is how people learn best.
While these first two steps are not what you might traditionally associate with data security, they have everything to do with human behavior. You must begin with the human factor, with core motivations and risky habits, to increase the success of your privacy initiatives. You need to build a coalition; you need to instill a culture of privacy, one security brick at a time.