As security experts know all too well, staff knowingly and intentionally circumvent your carefully designed security protocols. In particular, Microsoft researcher Cormac Herley has stirred up the waters with his report about the marginal value of frequent password changes. For another perspective, see Michael Kassner’s Are users right in rejecting security advice?
Losing data like intellectual property may be financially significant or merely embarrassing. However, for data protected by state or federal laws, such as social security number (SSN), personal credit card numbers (CCN), or protected health information (PHI) there typically legally required notification requirements, and potentially fines. If you are dealing with credit cards, you also have to conform to PCI-DSS, otherwise your merchant status is at risk.
Bottom line: you need the data to run your business and the potential for loss is great, so you need everyone’s help to protect it. But is anyone really listening? You face a Sisyphean task – you repeat your message ad nauseum, only to have the victims of the next incident profess total ignorance.
Here are three tips that may help you cut through the clutter of messages and really engage the folks in your community.
Know the processes
A recent Forester report makes the distinction between “custodial data” (generally personal information protected by laws), and “secrets” (business confidential information, such as financial forecasts, marketing plans, and product pipeline.)
People like to keep secrets (or, at least, they like the idea that they have access to secrets.) Sure, you may have a misguided or malicious employee who compromises the secrets, but in general, people with secrets know they have them and try to protect them.
Custodial data is different – it’s just ‘there’. It’s generally not very glamorous, and if you asked staff if they handle this kind of information, it may take them a minute or two of real concentration to remember that “Yes, SSN is indeed a field on form XYZ, which I handle once a month.”
So the more you know about the processes where custodial data shows up, the more of the heavy lifting you can do for the individual. Instead of saying “If you have SSN, then you must…”, you can say “Since you process form XYZ, we know you have access to SSN, therefore, in order to protect it, you must ….”
Data classifications can be complex – do you really expect folks in your organization to internalize this amount of detail?
Most people don’t have the time to understand the different types of sensitive data, and which data really matters to whom.If you ask a random group of office workers what comes to mind when you say “sensitive information,” you are likely to get a wide variety of responses, with “salaries” being fairly commonly mentioned. Equally common is the surprise that salary information is typically not a legally protected piece of personal information. It is much easier for many staff to envision the upset if the company payroll was posted online than if some unknown hacker broke into the payroll system and appropriated everyone’s SSN.
There are certainly plenty of options when it comes to data classifications. In general, the focus is on the importance and/or confidentiality, without being explicit about the context, in particular the applicable laws and regulations (e.g. HIPAA, state data breach laws), contractual requirements (e.g. PCI DSS), or company policies (e.g. intellectual property, salary information). And because the context is not always clear, the consequences of a data loss are not always spelled out.This lack of clarity can create confusion (or apathy) in the event of a data incident.
Rather than lumping many different types of highly sensitive data into one bucket, consider data classification subsets. For example, most states now have some form of a data breach law that covers some types of personal information, such as social security number, and credit card numbers. The data elements covered by your state breach law could be grouped under a heading such as “personal information requiring notification” (PIRN).
Not only is such a subset more likely to be small enough that people can remember the list, your data protection and data incident documentation can provide clear direction – “If you have PIRN, then do….”
Messages that resonate
Once you know the processes that include sensitive data, and have some manageable chunks for describing the data, you can think about the messages you want to send that that will encourage staff to take ownership for protecting the information.
Think simple. Think memorable. Don’t think IT. This is not the time to list the 14 characteristics of a strong password, or suggesting they read the 59-page NIST guide to protecting personally identifiable information.
For general data breach prevention awareness, you might borrow from Smokey the Bear: (insert your CEO/company mascot here) says “Only you can prevent a data breach.”“Lose lips sink ships” is another chestnut that could be recycled.
If your environment lends itself to posters, or hardcopy mailings, such as postcards, you can combine words and images: a headline such as “some things aren’t meant to be shared,” with a picture of toothbrush, comb, etc. and a tagline “So don’t share your password, company data, etc….”
Drawing parallels to other familiar scenarios can be very powerful, such as the ubiquitous flu season posters and reminders about good hygiene – e..g, exhortations about hand washing are similar to rigorous use of anti-malware protection; not touching your hand and face could equate to not responding to phishing attacks.
For environments that routinely deal with hazardous materials, it may be feasible to make an analogy, and talk about a ‘toxic data spill’, and the importance of calling in the IT “hazmat” team for clean up. You may be able to add impact by referring to the cost of cleanup, and the potential for fines and/or community uproar.
For staff that may only incidentally need to have certain information and the most significant risk mitigation step is not to have the data in the first place, you could introduce mantras such as: “You can’t lose what you don’t have” or “Don’t collect what you can’t protect.”
Don’t overlook the value of reinforcing messages by repetition. Marketing people know it takes many repetitions of a message before people “hear” it. You probably know from experience – you send a carefully crafted email regarding data security issues and it is obvious from questions (or failure to take action) that most recipients don’t remember it. Posters have a relatively short half life – while there may be an initial impact, after about 2 weeks, no one “sees” that poster anymore.
Appealing to the different senses is also helpful. In-person presentations will be more effective, because people are hearing and seeing the message. Many organizations feel they don’t have time for in person presentations. However, few things are going to be as memorable for your audience as meeting with them on their own turf , including examples they can relate to and allowing time for Q&A. Add in some food (e.g. ‘thank you’ chocolates popcorn, or pastries) and you’ll have them eating out of your hand!
Although breaches can’t be eliminated, staff engagement in a data protection program can reduce risk.
Allison Dolan is Program Director for Protecting Personally Identifiable Information at Massachusetts Institute of Technology. She has helped shape MIT’s response to the Massachusetts data protection regulations (201 CMR 17). Her background includes application development, innovation facilitation, system administration, human resources and telephony.