A Culture Of Security Survival

Posted by Robert Smallcombe

In the last week we have heard that 57 million personal records were stolen from Uber by two hackers. Alone, this made good headlines and an interesting story to read about, assuming it didn’t directly affect you or your company. But behind these numbers are the more worrying statistics around a general lack of awareness of the scale of vulnerability that stems from a poor security culture. I was pretty shocked to learn that nearly two thirds of employees steal proprietary corporate data when they quit or are fired (CITE). It is perhaps understandable that someone who is fired will have a motivation to hurt their former employer but what is not so clear is for those colleagues who choose to leave on their own accord. I’d hazard a guess at two possible explanations;

1. A frustration at poorly implemented security measures which block efficiency.
2. A de-sensitivity to the importance of the data they possess.

Companies put in place policies and processes to combat the chances of falling victim to hacks and loss of data but this has little impact on the attitude of employees. Security is generally implemented as a secondary overlay to existing services and systems. As such it creates a level of annoyance and becomes a nuisance for each end user. Good examples of this include mandating use of outdated kit or software to save money, blocking access to everyday business platforms with un-reliable VPNs or secondary sign in measures, failing to provide adequate training for new joiners, enforcing constant password resets and worst of all failing to adopt the security standards you are promoting to your own clients.

The minute you block end-users from accessing the tools they need to effectively perform their job with systems and kit not fit-for-purpose, you run the risk of creating a culture of frustration, detachment and even animosity. You will eventually push your employees to look for loop holes round your own security measures using their own devices and platforms. If they then choose to leave, this then adds a further layer of vulnerability that becomes outside of the company’s control. Once an employee leaves the business and retains these personal devices you remain exposed to accidental leaks through theft or loss but if they do lose their devices they are even less likely to tell you.

Secondly the more we see it happen to others, the more we expect to see it happen. The more we expect it to see it happen, the more we become indifferent. Poor implementation of security safeguards and the continual rise in reporting of customer breaches has created an environment whereby individuals do not realise the value or sensitivity of the data their position permits they possess. As such many do not fully appreciate their role in creating and maintaining a culture of security.

It is for these two reasons that I believe security needs to be thought about as the lifeblood of any business and the central factor in adopting any new platform, process or hire. When security becomes the key consideration from the start, the likelihood of it later becoming a blocker is vastly reduced. In our examples above any potential cost savings would have been outweighed by the potential risks they posed. Indeed, when we see how fundamental these small measures can be to the future of any business, it becomes less about security and more about survival.