Eight Steps for Getting it Right

As data breach incidents continue to rise, there is a corresponding increase in scrutiny of organizational security programs.  Security of personal information is often viewed by many employees as someone else’s problem, a back-office IT issue.  Yet the truth of the matter is that the most common cause of inappropriate access to personal information is employee behaviour, not a malicious hacker from on the other side of the globe. A recent study, ISACA’s 2016 Cybersecurity Snapshot, found social engineering and insider threats to be amongst the top three cyberthreat concerns.

Here are eight steps for helping to build an organizational culture that values privacy and security as business enablers:

1. Accountability at the Top:  The need cannot be overstated for true engagement by the senior executive.   Roll out the program with a statement from your CEO emphasizing the importance of security to the organization.  An initial statement isn’t enough, though.  The senior executive need to establish a pattern of engaging on the issue.  People will see through it if the CEO is perceived as saying, “It’s important because I said it’s important, now go away and do it without bothering me.”  Someone right at the top should be responsible for the privacy and security systems.  They may delegate tactical implementation, but ultimate accountability for system implementation and results should rest at the top.
2. Delegate Appropriately: In a large organization, it is understood that authority will be delegated down the chain to actually design and implement many programs.  Select individuals with the appropriate knowledge, time and authority to actually do the job.  Loading privacy or security onto someone who is rewarded solely for other objectives will simply see the task shoved to the side.  Conversely, giving the task to an administrative or clerical person who doesn’t have the skill level to develop the program, or the authority to influence people to use the program, is inappropriate delegation that shows a lack of true accountability.
3. Risk Appetite:  Make sure that privacy and related security issues are considered in your organizational risk management plan.  Determine how much risk the organization is willing to take on in pursuit of its business objectives.  This involves thinking through the types of personal information you hold, the different ways it is used in your business – and the consequences if things go wrong.  Clearly understanding how much risk your organization is willing to take on will help you develop a security program, that sensibly protects that which needs to be protected, without excessive restrictions.
4. Align with Business Strategy:  Reposition privacy and security as business enablers.  Focus on clearly linking security to productivity (that will be lost if data assets are stolen); organizational reputation and IP.  Use the language of finance and business to value the benefits of a privacy program in dollars and cents.  Knowing the average cost of data breaches per record for your industry is very useful.
5. Build Relationships:  Except for organizations that view privacy and security as core to the business, there is unlikely to be a huge amount of resources and funding available for implementation.  Building an organizational culture that values privacy and security will depend on the ability of the senior executive and team leads to identify champions who will spread the message. In particular, build relationships with people in middle management who touch a lot staff and engage them in training. Identify influencers who may not have the highest rank but are the people that everybody trusts, and engage them as security ambassadors.
6. Training:  Time after time, we see the Privacy Commissioner’s attention shift during the course of an investigation from the facts of a personal information breach to insufficient training.  All levels of the organization need regular training regarding personal information protection and related security issues.  Yes, that means you, Mr. or Ms. CEO.  Train Board members as well.
7. Third Party Relationships:  Bear in mind that the weakest link in your chain may actually be third party affiliates, sales agents and suppliers.  You may have given them security clearances and access to your systems and premises to do their jobs.  Ensure you have appropriate contracts in place where they agree to abide by at least your privacy and security policies and procedures, if not more.  Make sure to provide appropriate training to third parties who will have access to your systems and premises. The people who do a job are frequently not the people who signed the contract.  They may have no actual idea of the obligations and expectations that the contract places on them and the importance of following those practices.
8. Communicate:  Use that old sales and marketing refrain:  “Tell them what you’re going to tell them; tell them; then tell them what you told them.”  If you have a communication or social media department, engage them to help develop a variety of communication tools in addition to the formal training.  Give people periodic information on different types of security risks, how to recognize them and what to do about them.  Remember that your employees may be the most effective way of detecting a security threat to the organization.  When you have a security success story, such as an employee pointing out an unusual file on the server to their IT department, and thereby helping to identify malware, use the story to develop a communication tool that can be used in various formats. Celebrate success on your internal intranet by giving a small reward and praise to the individual or team; ask senior managers to tell the story at their next monthly meeting.

Compliance programs are often tucked away in the corner of an organization’s repertoire. Instead, they deserve to be out in the spotlight at times to truly develop a privacy and security conscious culture. Contact PRIVATECH to explore ways in which your organization’s privacy and security risks can be minimized. Our on-site and virtual training programs can also assist you in stressing the importance of information protection with your staff or contractors.