How to drive home the importance of data security with company stakeholders
For the modern business, there are few topics more important than data security. Without a proper appreciation for data security and all that it entails, you’ll find your business falling behind. But getting all of your employees and company stakeholders on board can prove to be a major challenge.
Let’s say you have a big 10-gallon bucket sitting in your garage. It’s a thick, sturdy bucket that’s brand new – never been used before. And while the bucket looks like it’s in great shape, there’s a tiny hole at the very bottom. It isn’t any bigger than a pinhead, but it’s there. Guess what happens when you pour water in? Though it might take a few minutes, the water is eventually going to completely drain out of the bucket. Despite the difference in size, 10 gallons of water is no match for a tiny hole.
The same could be said of your company’s approach to data security. No matter how strong your strategy is or how many various safeguards you have in place, all it takes is one uncooperative employee or uninformed stakeholder to compromise the entire thing.
Your data security strategy is only as good as your organization’s weakest link. When you look at it through this context, the importance of stakeholder buy-in becomes clear.
How to encourage total buy-in
As with anything else, getting people to take data security seriously requires a purposeful and concerted effort. Here are some things to consider:
1. Employees are often to blame.
According to the Online Trust Alliance (OTA), roughly 91 percent of data breaches can be prevented. And though there are four major ways in which data breaches occur, employees are often to blame. They account for 30 percent of breaches (whether accidental or malicious).
“By educating on the dangers of phishing, companies can prevent these embarrassing situations from happening,” Point Park University explains. “The OTA reports that insiders can be a threat when they are feeling unhappy, moving to another company or having financial problems. Companies must realize that insider threats to data protection are a reality.”
2. Education is key.
While there are instances in which employees knowingly put the business in harm’s way, most of the time their actions are the result of a lack of education on the topic of data security. The more you commit to educating your employees, the fewer costly mistakes there will be.
You can send out emails until you’re blue in the face, but the only way to ensure employees take your instructions seriously is to hold informative presentations and meetings where you’re able to talk with everyone in a face-to-face manner.
In addition to delivering a compelling message, it’s smart to give employees something to reference. Printed booklets or brochures that explain various policies and recap different rules can serve as a nice complementary resource.
3. Give decision-makers the numbers.
With employees, you’re telling them how to act so that they can be in compliance with your data security protocol. With stakeholders that are higher up in the organization – including decision-makers and gatekeepers – you may actually have to convince them to buy into what you’re doing. And the best way to do this is by giving them the cold, hard numbers.
According to this year’s Cost of Data Breach Study conducted by Ponemon Institute, the global average cost of a data breach is up 6.4 percent from 2017 to $3.86 million. The average cost for each lost/stolen record containing confidential or sensitive information is up 4.8 percent year-over-year to $148.
Honestly, the numbers do the talking. When you use data points like these as your basis, it’s hard for stakeholders not to buy in. For even better results, tell a story around these statistics. In doing so, you appeal to both the analytical and subjective modes of decision-making.
Adding it all up
The time for taking data security lightly and tinkering with different techniques is over. There are 230,000 new pieces of malwareproduced every single day, while hacks occur every 39 seconds in the United States alone. You need total buy-in from all key stakeholders. If you aren’t confident that you have this, dig your heels in and make a plan.
(This post originally appeared on the ISACA blog, which can be viewed here).