September 6, 2016

Security is not about firewalls and policies – it’s about you

Markus Melin

Head of Tieto Security Services, Tieto

Companies put much effort in securing their data by technological means. However, firewalls and strict security policies are not enough. According to a survey, 75% of security breaches in large organizations are staff-related. True security is people centric security.

During the last months, we have written a great deal on this blog about the requirements that General Data Protection Regulation will impose on organizations. We have told you the basic facts, necessary processes, how to survive the GDPR, and why you need to act quickly.

However, even if you take swift action and enforce all the  best practises, there is one thing that probably doesn’t get enough attention: the people who work inside the company.

Companies have understood that it is important to guard oneself against external attacks. In a survey made by Egress Software, almost half of the companies spend most of their security budget on keeping the attackers out.

Only 20 percent prioritize guarding against accidental employee breaches, but that might prove to be a costly mistake.

To err is human

No amount of hardware, state-of-the-art intrusion detection software or airtight processes will keep the human factor at bay. We know how to recover from a hardware failure, have backup plans to tackle a case of a misbehaving software, but a wetware failure is a much more complicated thing to deal with. Try blocking access to Facebook in your enterprise and you notice how fast someone will figure out a way around it and how fast everyone knows about the workaround.

A research by pwc says that of all security breaches in large organizations, 75% are staff-related. That’s a staggering figure. In smaller companies, the employees were to blame in 31% of the cases.

Engineers and computer scientists are very adept in solving technological problems, but the human factor requires an eye for psychology and sociology, and a general understanding of why people behave the way they do.

I want to break free!

A common way for IT departments to account for human risks is to put more restrictions in place. This is, however, a very misguided approach. If it becomes difficult to perform basic tasks such as sending files, employees – as rational human beings – make up ways to make life easier.

Instead of following closely a well-thought-out but cumbersome process, they just might use an external email service, USB stick or some other inherently insecure method. A security catastrophe waiting to happen.

To enforce a reasonable level of security, comply with the requirements of the GDPR, and not complicate the employees’ lives too much, your organization needs to understand the human psyche. If the necessary technological restrictions and processes aren’t developed with the end user in mind, they are going to fail. Good user experience is a crucial part of modern security.

When appointing your Data Protection Officer mandated by the GDPR, you just might be wise to look beyond the most obvious choices and hire a psychology graduate?

Read more how Tieto Security Services can help you manage your security.



Stay up-to-date

Get all the latest blogs sent you now!