When it comes to IT security, managers rely too much on technology. Instead, they need to focus on employees' vigilance and habits. They are the ones who really make the difference.
Security software is important and indispensable. But according to Esben Kaufmann, Head of Cyber Security Consulting at NNIT, managers should focus less on technology and more on the human side if they want to increase IT security in their business. It’s about helping your employees incorporate safe habits and routines. And it's about eating the elephant one bite at a time.
You would need to look long and hard for a word as dry and boring as the term "data classification." But Esben Kaufmann insists that this is where it all begins. To illustrate his point, he draws a parallel to our behavior as individuals: You take good care of your wallet and your passport. But you are not as careful, perhaps almost indifferent, when it comes to a receipt for groceries from the supermarket.
This is how it should be at work too. People need to develop an awareness of which data is less important and sensitive, and which should be handled as confidential. Examples of the latter could be board reports or customer directories with social security numbers.
In addition, Esben Kaufmann emphasizes that the security risk exists in the gaps between the systems. Things become dangerous when data is floating around, e.g. when you quickly share a file in a Teams meeting, when SS numbers are transferred to a Word document, or when confidential data is copied into an Excel sheet.
No tall fences
»In the past, you could protect your valuable assets by locking them up behind tall fences,« he explains.
»You cannot do that with data, because data is decentralized in the company. You cannot centralize your data protection. But you can give your employees good tools and methods for handling data properly. It all starts with learning to distinguish between business-critical data and data that is less important to protect. This is where data classification enters the picture. Only after you classify your data can you start working centrally with it, that is, designing the systems in such a way that personally identifiable data and the like cannot be transferred out of house.«
Only a few follow through
At the same time, Esben Kaufmann acknowledges that very few companies are able to carry out a thorough classification of all data in the company. After almost 30 years of digitization, the amount of data has simply become too large. That’s why he recommends eating the data elephant one bite at a time. A good way to start is by looking forward instead of backward. For now, forget about the old data the company has accumulated and instead introduce a forward-looking data classification. One that is easy for employees to both understand and execute.
»As a manager, you have to work towards making some habits second nature to yourself and your employees. For example, every single time we work with a board report or another business-critical document, we press the button in Word, PowerPoint, or Excel that classifies the document and categorizes it as Highly Confidential. That's where we need to get to,« he says
Choose a few
"Keep it simple" – this is Esben Kaufmann's recommendation. One should be content with selecting one or perhaps two security products and implementing them thoroughly throughout the organization. He mentions an analysis that shows that only 37% of the security products that companies buy are actually implemented. The rest collect dust on the shelf. It doesn’t help that many security products are too difficult to use and not sufficiently integrated into employees' daily workflow.
“Too many managers rely on the technology. But the technology is the least important part here. Ultimately, you and I, the people who work with data, are crucial. We need simple, effective tools that allow us to make data security second nature. We need to find technology that supports good habits. The technology cannot drive the habits. If it does, you will never reach the finish line," Esben Kaufmann warns.
"Data security should be as easy and natural as taking the key out of your pocket and locking your front door."
