Published On: June 12th, 2015/Categories: Data Security/6.3 min read/

You Don’t Care About Security

Every organisation wants to maintain control of their digital assets. Whether it be their corporate information, customer data or the IT infrastructure itself, it all matters, and the ever faithful triad of Confidentiality, Integrity and Availability are core to protecting your business. There’s just one problem though, your users don’t care about the data you’re trying to protect……… and neither do you.

We like to think we care. In fact we’re paid to care. But in reality we just don’t.

And why would we?

As an employee of Acme Corp, do you really care if a colleague loses a laptop on a train or sends a proposal to the wrong customer? Of course not. You know it happens all the time, and whilst you don’t want it to happen, it doesn’t fundamentally matter to you. Think about a previous employer. It wouldn’t matter to you if they were breached now. It’s their issue and has no impact on you. We’re a fundamentally selfish species and if our health, happiness, wealth and career are in no way impacted by an event then we simply don’t care.

But would you care if it was YOU that lost the laptop or incorrectly sent the email? Of course. And this is where it gets interesting. It’s not the loss of the data that matters, it’s the effect it has on you the individual.

Take the Sony Pictures breach in 2014. During the investigation and cleanup phase it inconvenienced a lot of employees but which ones felt the biggest impact? It was the ones that had data about them leaked or were responsible for the organisation’s security. It was the personal impact that caused the pain. The few high profile resignations that resulted show exactly who gets the sharp end of a major breach. And at the other end are the shareholders who are now sitting pretty, with share prices now well above their previous 2014 maximum. This all seems pretty odd since we’re conditioned to think that security incidents will necessarily hurt the brand which in turn hurt business. But Home Depot, Target and Sony have all show this not to be true.

So where’s the incentive to keep data safe?

Fortunately these major cases are isolated events and their data is not their core business. They still have a trading business and customer goodwill after such an event. The SaaS vendor CodeSpaces was not so lucky, having to shut down its business after a major attack. Data was their business and after the breach it had nothing left. For the vast majority of organisations there is still a real business need to constantly and diligently protect their data.

The challenge is that a business is in itself not a real entity, just a collection of people going about their day-to-day work. You have to rely on these people for your protection, not the business. So if people are the answer, how can we make them care? Surely it’s about professional pride and the common good? In a word, No. We have to remember that whoever you are, from the founder to the apprentice, if you have a better opportunity at a different organisation you’ll take it. There is no real loyalty so we never do truly care. We must focus on the individual and the carrots and sticks that will make them care during their limited time within your organisation.

Think about your role within your company. What would make you uninstall that unsanctioned copy of Dropbox? What would make you lock your workstation in the office? Punishment, public shaming, bonuses, awards, promotions, a sense of ownership and responsibility? Maybe all of these to some degree, and it’ll very much depend on the culture of the workforce.

We in the InfoSec community can be a self-righteous bunch, thinking that we care and our users don’t. We’re the bastions of good battling with our idiot users. But spend a day with anyone in our industry and you’ll see they breach more security policies than most other employees. Somehow we think that because we’re the experts it’s okay for us to live outside the law. In reality we’re all breaking the rules and all because we’re focused on ourselves and working the way WE want to work.

As with many things, the first step is acceptance. Be honest, admit the problem and then focus on motivating everyone to start acting differently.

Share This Post!

About the Author: Carl Gottlieb
I'm the trusted privacy advisor to leading tech companies, helping them gain maximum advantage through the right privacy strategy. My consultancy company Cognition provides a range of privacy and security services including Data Protection Officers, in-depth assessments and virtual security engineers. Get in touch if you'd like to learn more.

Related articles