A number of studies and countless conversations with security professionals point a finger directly at employees and say, "Here is one of the biggest, if not the biggest, threat to a company's network security." For example, there was that Trend Micro and Ponemon Institute study earlier this year that showed 35 percent of data breaches are caused by employees who lose laptops or mobile devices. The study also showed that the vast majority of employees don't report a data breach after it has been discovered.
No doubt about it - employees are dangerous to company security. If you've read my blog long enough, you know I am a strong proponent of security policies and security education - and I will continue to advocate for those things, for every person who touches a computer.
And that education needs to begin at the very top of the corporation, with the executives who are the company's primary decision makers. According to the new Carnegie Mellon CyLab's 2012 Governance Report, corporate boards rarely consider the company's security needs. One article I read on the topic called corporate executives and board members "clueless," and it is easy to see why such strong language was used. In a Forbes article, Jody Westby wrote:
Seventy-five percent of the 2012 survey respondents were from critical infrastructure industry sectors, primarily the financial, energy/utilities, IT/telecom, and industrials sectors. When asked whether their organizations were undertaking six best practices for cyber governance, the energy/utilities sector ranked last for four of the practices and next to last for the other two. The energy/utility respondents indicated that 71% of their boards rarely or never review privacy and security budgets and 57% of their boards rarely or never review security program assessments.
These are companies whose well-being depends on solid network security, and companies whose security failures will affect hundreds of thousands, if not millions, of others. And yet, security is barely a blip on their radar? Clueless, indeed.
An article on NetworkWorld suggested that it may not be totally the executives' fault, that it is up to those in charge of company security to speak up and do a better job of communicating security concerns with these top-level executives. Perhaps that is partly true, but I have to wonder if the executives are willing to listen - or care - about security. It is an issue that seems to fall through the cracks. Security doesn't show up on the bottom line until something bad happens - and until then, why bother? (Right, Sony?) Communication is a two-way street. CISOs need to speak up - loudly - about security concerns, but executive boards need to actually listen.
Or, at the very least, they need to sit down with the secretaries and office managers when they have their security education classes.