The Culture of Data Security

Image

Here at Fortra, we hear a lot of buzz about protecting both customer and company data, but it's alarming how many IT departments and enterprise users are still not protecting their data correctly. According to the Ponemon Institute, fewer than 50 percent of organizations have comprehensive encryption protection in place.

Prevention vs. Remediation

Data and network security should be the basis for every IT decision, but too often it’s an afterthought.

The numbers back this up: three quarters of security professionals focus on detection and containment rather than prevention. The budget that could have gone towards preventing an attack or breach is instead allocated to “detection, containment, recovery, and remediation activities.” But that budgeting may not take into account costs incurred by compliance fines, compensation, and the loss of current and potential customers.

A lack of data security can often be attributed to corporate culture and the fear of change. Most companies at the corporate level agree they are committed to data security and protecting customer records.

Related Reading: 10 Cybersecurity Tips and Best Practices

Data security for the millions of files sent over the Internet or within the cloud is of great importance to all industries, including health care, retail, banking, and finance.

Internet transfers include the critical data needed to conduct business, such as customer and order information, EDI documents, financial data, payment information, and employee- and health-related information. Many of these information transfers relate to compliance regulations such as PCI DSS, SOX, HIPAA and HITECH, state privacy laws, or other mandates.

If a company's official stance is to protect their data, what is causing the security holes?

Security Stances Should Extend Beyond the IT Department

The largest security gaps tend to exist in the departments outside the core IT organization. While these non-security-focused groups may understand that they handle sensitive data, they often don't place the same value on data security practices as the IT Security team.

Luckily, the number of companies that still allow their employees to perform file transfers directly from their desktops and laptops using FTP or other unsecure tools is shrinking. And that’s a good thing: not only are these ad-hoc methods usually unsecure and capable of exposing passwords or entire databases, they don't all function alike and don't provide centralized logs or overviews of how your data is flowing within or outside of your organization.

Related Reading: How a Data Security Breach Puts Your Organization at Risk

Even when a secure solution is in place, employees often try to find a shortcut around the solution in another way. If the security solutions in place aren’t user friendly, they may as well not be implemented at all. It’s critical that departments throughout any organization know what tools are available to them, how to use them, and most importantly why to stick to the prescribed tools rather than bypassing them.

Employee Education: The Number One Prevention Method

Educating employees about the dangers of unsecured data transfer, alongside its cousin unnecessary data transfer, is more business-friendly than preventing unsecured file transfer all together.

Part of this process should be moving everyone to a secure file transfer methodology, such as managed file transfer. Secure file transfer software is the front line of data security: it not only secures your data transfers, but creates a digital paper trail showing where assets are going. This is especially important when you consider all the data security compliance regulations in effect today.

Related Reading: New Tech and New Hacks: How Are Cyber Risks Changing?

Creating a Data Security Culture