Most people would agree that in recent years, there has been a cultural shift in the way we use technology and yet so many organisations are choosing to ignore that fact when they create their cyber security policies - or neglect to create those policies at all.
In the past, the nitty-gritty of technology was left to the IT department so it made sense that they would take the majority of the responsibility when things went wrong - after all, they were the ones who handled the data regularly and were putting up safeguards, if those safeguards failed, responsibility fell on the IT department.
Now, things have changed. Organisations need to be more vigilant with how their data is accessed, by whom, and from where. Rather than thinking data protection stays within the remit of the IT department, leaders must understand that a culture of security is paramount to organisational success. Data protection is no longer the domain of a few - it is for everyone. Achieving a security and data protection culture does not happen overnight. In order for it to happen, it needs to be embraced at C-level.
It can be exasperating to hear of employees leaving USBs with sensitive information lying around. But most likely, the individual isn’t informed as to the value of the information they hold or what they should be doing to keep that information safe.
- Make sure your organisation understands the value of the information being handled. The appropriate Secure Information Management Framework and risk assessments can only be put into place when the value of information is understood.
- Ensure that all employees know the kind of information your organisation holds as well as the value of it - no one is going to be committed to keeping data safe if they don’t realise its value.
- Make sure that any training you do has dedicated time for learning the responsibilities each employee at each level of the organisation has in regards to cyber security.
- Create an easy to read classification framework that ensures every employee knows exactly what to do and what not to do with the information they are handling. It’s as simple as categorising each piece of information within your organisation so that every employee can quickly and easily see the classification of data. After all, every organisation has valuable information, so creating categories makes it easy for employees to understand their responsibilities and prevent breaches from occurring. Classification categories can include:
- Corporate IP (Financial, Strategy, Product, Patents, R&D, M&A)
- Customer information
- Employee information
- Internal information
- Public information
- Create a data security org chart and report it to C-level. Just as you have managers or owners of a project in an organisation, you can also create information asset owners. These are individuals who have ownership of specific information assets, can make decisions and policy on how and by whom that information is accessed and shared. They can also help to identify and enforce retention periods and regulatory requirements. Like a traditional org chart, information asset owners are ultimately accountable to the senior information risk owner, who sits at board level, giving C-suite oversight of information risk.
- Equally as important are the creators of content as they are best positioned to know how content should be classified and to define who should be granted access.
Your security policy is only ever as good as your weakest link. By encouraging and committing to a culture of security, organisations can ensure employees are informed and able to make wise security decisions for themselves.
At Berkeley, we develop and deliver secure data protection and privacy solutions to government and commercial organisations to ensure that all organisations are complying with relevant data and privacy laws. Get in touch with us today to find out how we can provide you with the right data protection solution for you. https://berkeley.solutions/