Companies are engaged in an ongoing battle to control information. Some data breaches are contained internally, while others grab global headlines. The strength of your internal controls plays a large part in your ability to prevent data theft. The behaviour and attitudes of your employees matter too.
While we are accustomed to the physical security measures in our offices, digital protections are evolving. According to the Online Trust Alliance, nearly a third of all data breaches in the first half of 2014 came from an internal actor and 90 per cent were preventable, whether caused by accident or malice.
To apply an old adage to a new problem, computers don't steal information, people do. At FTI Consulting, we recently surveyed more than a thousand office workers in the UK to gain insights into employee attitudes about cyber-security and data theft.
Many see data theft as a victimless crime, especially millennial employees.
While most organisations have training programmes about data risk, our research found that 65 per cent of employees believe these programmes are not adequate and 69 per cent believe the greatest threat to data security is still posed by their colleagues. Notably, 34 per cent of millennials (aged 18 to 29) view data theft as a victimless crime compared with only 11 per cent of baby boomers (aged 55-plus).
FTI's survey also found that more than 72 per cent of millennials believe they are entitled to take data they have worked on compared with 41 per cent of baby boomers. An organisation's approach to correcting such misperceptions internally should consider these generational differences.
Cyber theft is not about the money.
According to FTI Consulting's survey, the main motive for data theft isn't greed: employees are five times more likely to take data when disengaged, or during a major company transition, than for direct financial gain. Considering another finding for millennials, 51 per cent said they don't expect to be with their employer for more than five years.
All these factors point to a potential perfect storm: millennials are more likely to view cyber theft as a victimless crime; they are entering the workforce during a time of economic uncertainty; and they are more likely to view their tenure as short term. So how can companies engage with all their employees to mitigate these risks?
Make protecting data part of the culture.
Employee engagement must be viewed as a key pillar of cyber security. Key tactics include:
- Clarify the business risk: Leadership must detail the consequences of a data breach to the company's financial results, relationships with customers, and reputation.
- Align with values and culture: Data protection isn't just the responsibility of IT, it's the responsibility of everyone in an organisation. Ensure you have processes in place for employees to voice concerns, particularly during times of company transition.
- Involve employees directly in solutions: Our data showed millennials in particular are motivated by direct engagement in problem-solving, so enlist them to help develop approaches that will resonate with their peers.
- Partner with the compliance and IT teams: Technology or compliance training around cyber security should be preceded by awareness campaigns that reinforce the business urgency.
Quite simply, creating a culture where employees respect data and are motivated to protect the business is critical to cyber security.
In summary, it's easy to build a safe, but with data, someone, somewhere will always have a key. Your approach to engaging employees should be well adapted to this fact.