How a company’s culture can limit data breaches

Strong internal controls, robust training and education, and stringent data management policies have been shown to reduce employees’ carelessness with valuable information such as a company’s strategic vision or its customers’ personal data.

But all that supposed strength – website filtering, complex password requirements, and two-factor authentication – is trumped by a softer and sometimes forgotten way to cut down on data breaches from unintentional employee mistakes: company culture.

Culture is more than intranet posts by the IT director or emails reminding staff not to download company documents to devices outside the corporate network. Culture is what you see your supervisor or peers say and do regularly, and data from information services firm CEB indicate that culture is the best way to drive change in workers’ privacy behaviours.

In the average company, 28% of employees agree that they exhibit poor privacy behaviour, a CEB survey of more than 5,600 workers shows. Awareness of what to do in regard to privacy issues drops the percentage of poor behaviour to 21.9%, and the presence of access controls drops the likelihood even further, to 13.1% agreeing. The No. 1 deterrent in companies: strong team climate, under which just 3.6% of employees agreed or strongly agreed that they exhibited poor privacy behaviour.

“Having a good privacy climate, not only peers that reinforce good privacy behaviour but that talk about privacy in the context of your job, creates much better effectiveness than training or even controls,” said Brian Lee, a data privacy practice leader at CEB.

If an employee has found a workaround to avoid changing a password every 90 days, chances are others will mimic that shortcut to save time and headache, even if the action is officially against company policy. Sometimes, workers are unaware of the seriousness of their actions, which is behaviour that can be curbed by greater awareness. Sometimes, workers simply dismiss company policy, knowing that the action puts data at risk but continuing down that risky path for the sake of convenience.

“When someone wants to get a job done, security can sometimes be an obstacle,” said Steve Ursillo Jr., CPA/CITP, CGMA, who advises companies on information security. “It becomes challenging for different people in different situations, and they will sometimes cut corners even though it is a violation of policy.”

CEB has a phrase for this sort of behaviour: “rationalised noncompliance”. And it has four ways to better embed privacy requirements into workflow:

• Identify business processes that collect, store, and use sensitive data. Not all work involves such data, but areas such as payment transactions or employee or customer health information can be risky.
• Identify and address situations where noncompliance is more likely. One obvious area of concern is devices that aren’t company-owned. Employees who do work on their own smartphones, tablets, or laptops can be putting data at risk if they don’t take proper precautions. “Historically, there have been borders drawn around the data,” said Ursillo, the director of Information Technology and Assurance Services at Sparrow, Johnson and Ursillo Inc., an accounting firm in the northeastern US state of Rhode Island. “With the explosion of mobile computing, those borders are really leaking. There’s a traversing of those borders.”
• Rely on managers to drive compliance. CEB recommends that managers provide input on how privacy requirements align with a team’s work. If data security is discussed regularly, instead of once a year as a check-the-box exercise, employees will have a better understanding of its importance.
• Use a continuous improvement approach to align privacy requirements and workflow. Leading companies get real-time feedback about the effectiveness of information controls. That input from workers can help reduce inefficiency and address employee perceptions about policies that might seem unrealistic.

Learning about employee perception matters. Privacy leaders at companies surveyed by CEB overwhelmingly pointed to a lack of awareness of policy or of the importance of good data security behaviour as a factor in data breaches. Employees told a different story: 45% chose intentional, nonmalicious behaviour as a factor in data privacy violations that they observed or were involved in.

Awareness training still matters as part of a solid, enterprise-wide information security programme. But modelling good data security behaviour may matter more.

“If you thought it was about awareness, you would do more training and more communication, which is what we see privacy teams do,” Lee said. “With this finding, I think there’s good reason to believe that your training and awareness can only get you so far.”

—Neil Amato (namato@aicpa.org) is a CGMA Magazine senior editor.