...the data clearly show that human error is still the leading cause of cyber security breaches.
In recent years, attention has been drawn to the impact of cyber and data breaches and the extent to which our organizations remain vulnerable to these threats. The cost of cyber and data security breaches is well known and most organizations are taking steps to address the problems. But while much is being done, too often ethics and compliance officers have remained on the sidelines wrongly assuming that cyber security is not their concern. While ethics and compliance departments may not be the appropriate lead function to address these risks, it is a serious mistake for E&C to be uninvolved. E&C can and should play a key supporting role in identifying and mitigating cyber and data-related risks.
One obstacle to more involvement is the assumption that these risks are technology problems and therefore are best mitigated by technology solutions. But the data clearly show that human error is still the leading cause of cyber security breaches. For example, recent research “revealed that 69 percent of companies reporting serious data leaks reported that their data security breaches were the result of either malicious employee activities or non-malicious employee error.” The biggest cause of breaches was non-malicious employee error (39 percent). Interestingly, only 16 percent were due to hackers or external invasion.
This article originally appeared as #8 in our:
Top 10 Ethics & Compliance Predictions and Recommendations for 2017
In spite of this evidence, many organizations are missing this root cause and are focusing exclusively on infrastructure instead of making an investment in employee education and training, but here is where E&C can play a pivotal role.
Key Steps Where Compliance Can Mitigate Cyber & Data Breaches:
Have Clear and Easy-to-read Cyber Standards
Be sure your organization has up-to-date cyber security policies and that the topic is adequately covered in your Code of Conduct. But equally important, make sure the policy and the Code are understandable to employees. E&C officers have done well in recent years developing policies and codes that avoid legalese. In a similar manner, E&C officers need to ensure that their cyber standards are also free of tech-speak and are clear and easily understood by all.
Include Cyber Security in Your E&C Training
Like all training, cyber and data security training should be targeted and tailored to the roles and responsibilities of employees – one size does not fit all. As an E&C officer, apply what you know and the work you’ve already done in developing your E&C training schedule to determine the best and most effective way to deliver cyber and data training so that it will be accepted and effective across your employee population. Information about cyber security can also be woven into case studies within existing E&C training.
Leverage Your Helpline
If you are not already doing so, be sure to add cyber security and data breaches as examples of the type of issues that ought to be raised using your reporting system and Helpline. When you do so, make sure that appropriate escalation and resolution protocols are in place when technical questions are raised or threats are reported.
Avoid Turf Battles
Remember that if you want a seat at the table when cyber security is discussed, you may need to give up valuable space or time that is currently devoted to more central E&C issues. This may include giving up time that is currently set aside for E&C training on other topics, or sacrificing space for posters and awareness campaigns on billboards in common areas, as well as virtual space on websites and the intranet. It may also include allowing cyber-related questions to be included in employee surveys in place of other E&C questions.
Download White Paper: Top 10 Ethics & Compliance Predictions and Recommendations for 2017
