The Symantec/Ponemon Institute report, 2013 Cost of Data Breach: Global Analysis, estimates the US average organizational cost of a data breach (i.e., lost or compromised records) at $5.4M. That excludes what they call catastrophic or “mega data” breaches, which would skew the cost higher. Our data is under siege from governments, industrial espionage, organized crime, and middle school hackers. At the same time, our organizations are working in the “social era” where great value comes from sharing rather than holding information and knowledge close. We need to balance data security with collaboration and performance.
Technology is the strongest data defense, but all security is at its heart, human.
A 2012 study by the Ponemon Institute found that the deployment of security intelligence systems saved their respondent companies an average of $1.6 million in comparison to companies who did not employ security intelligence systems.
Training and awareness activities also have value, but much less than the technical tools. Training and awareness activities were one of a set of enterprise security governance activities measured in the same Ponemon survey. Training and awareness saved an average of only $102,506 (no data were provided to allow separate assessments of return on investment).
Even if technological tools have more overall benefit than human or organizational process strategies, we still cannot drop the human side of the equation. A Microsoft study from the first half of 2011 found that some form of user interaction was the cause of the majority of malware propagations (44.8% vs 26.0% for the 2nd highest threat -- installation from an auto run program on a USB drive). This leads me to offer that while training may be less valuable than technological solutions, training and other human considerations are still an important component of an appropriate mix of how we protect our data.
The Best Security Is a Mix
The best security is a combination of human, technical, and organizational dimensions. A good mix combines technical security with human practices that work in sync rather than against the tools. Simply tightening technical security may mean people start using sticky notes on their monitors to remember passwords or propping open inconveniently locked doors.
Too Tight Security Is Failed Security
Individuals have an implicit “compliance budget” that plays a role in whether security policies are supported or not. Exceed the individual’s compliance budget and the likelihood of data security work-arounds goes up. The mental cost/benefit analysis trades-off issues like physical or cognitive effort, possibility of embarrassment (e.g., not being able to open a file during a customer presentation), opportunity costs, and hassle during deadlines with the perceived risk and severity of organizational data security.
Security Strategies for the Social Era
This points us to strategies to increase our data safety while still performing in the social era:
Focus on technologies that are easy to use (e.g., automatic encryption or virus protection that doesn't’t slow down daily work).
Enable individuals to temporarily shut off security tools when a work goal demands it (e.g., virus scans not running in the middle of a presentation - I enthusiastically vote for this one).
Use a language of safe collaboration with terms like, “company proprietary,” “share freely,” “share with the project” or “when in doubt, don’t send it out.” This makes security part of collaboration rather than a barrier.
Generate awareness of the costs of stolen or compromised data. A changing ticker can keep more interest than a static security reminder on a login splash page. Security awareness training can work, but it has a short half-life.
Prepare for risks from the inside. In Social Engineering: The Art of Human Hacking, Christopher Hadnagy notes that malicious insiders (the second most costly form of data loss noted in the 2012 Ponemon study) might be avoided through training:
There is no one data security approach that fits all organizations. There is, however, one certainty: all security is human at its core. The members of your organization, in partnership with your security experts, must be engaged in designing the right mix of human, technical, and organizational policy mechanisms to support security and collaboration as our data risk increases.
For more multidimensional perspectives on data security, see the Harvard Business Review blog's Insight Center "Data Under Siege."