According to the 2015 Information Security Breach Survey
, 90% of large organisations experienced a security breach that same year. The study also found 59% of employees stole proprietary information after quitting or getting fired.
People don’t always break rules on purpose, though. With data security, breaches can happen unknowingly. Even if you’ve fully embraced PoPIA legislation
, your team needs to understand the role it plays in maintaining compliance.
Here’s how you can accomplish this: 1. Clearly define what “sensitive data” is
Although it might seem obvious, you need to define sensitive data explicitly for your staff. Think of this like any other policy that requires clarity. If you give everyone a printed list of examples for reference, no one may claim ignorance when he or she violates your policies. 2. Educate your staff
Some people mistakenly believe hackers need their username and password to crack into emails. They presume a strong password is all you need to protect emails from getting hijacked. But emails pass through multiple points on their way to the recipient, and many can be unencrypted.
In response to a 2017 IBM study, SA security leader Sheldon Hand says, “According to the study, malicious or cyber attacks are a major cause of data breaches in South Africa. Such attacks are financially damaging and present great threat to the reputation of organisations. It is important to start looking at security hygiene measures as an opportunity to avoid falling victim to the next big security threat rather than a nuisance."
The only way you’re going to get your staff on board with data security is to educate them. Make them understand the high cost
of data breaches, which average R32m per incident. 3. Automate your email security
You can’t rely on employees to follow email security rules without fail, and not all mistakes occur intentionally. Your greatest protection against human error is to automate your email security.
Depending on your industry, electronic communications may be governed by a range of regulations. If that’s the case, a stray email could break compliance and put you at risk for hefty fines. Be careful which DLP security you use
Data loss prevention (DLP) security solutions are available for email, but few guarantee complete security. Email messages take a journey with multiple stops
along the way. Only certain client-side encryption tools can provide security for the entire way.
Most DLP security solutions scan emails only once they’ve been sent to the server: unencrypted. That unencrypted email can be hijacked in transit. The fact that it would have been delivered encrypted won’t matter when you’re facing fines for violating client-side encryption regulations.
Virtru, a leader in email security, can supply an automated DLP solution that encrypts emails from origin to destination. This solution also detects sensitive content within email and provides a warning before it gets sent, a capability most software doesn’t have. As Virtru explains
, “An even bigger problem is the inability of other DLP security vendors to detect sensitive content in encrypted emails and attachments. Encrypt an email with PGP or S/MIME and the message will pass straight through the DLP tool, no matter what data it contains. You could use such a system to stop employees from sending unencrypted data - social security numbers, for example - but you’d have no way to prevent them from exposing encrypted data to the wrong recipient.”
By automating your email security, you’re adding another layer of protection to catch the actual content of emails before they’re sent. This is the ultimate safeguard against human error. 4. Follow up with your staff
Your staff members are busy making your organisation shine, so follow up with them about security measures you put in place. Make sure they understand what you’ve asked them to do, and why.
To make it easier, hold a short meeting periodically to address new policies or changes to work flow, and provide people with the opportunity to share. They might make you aware of issues you can’t see.
Let everyone know you’re interested in their observations, including obstacles they encounter with your policies.