We’ve spent a good deal of time here talking about the risks of data breaches and how to create structures that help prevent them. We’ve even talked about common kinds of breaches and what they mean for your business. But, of course, no matter how much we talk about this stuff, there’s a never-ending supply of new examples to review, and new lessons to be drawn. Given the ever-increasing importance of data security in the post-GDPR (and post-CCPA) world, our focus cannot flag, because even a momentary lapse can have major consequences.
So, obviously, this is a good time to talk about the World Cup.
This Cup has been interesting, not only because England has a squad with a better life chance of making it through July than the Prime Minister, but because of the prevalence of own goals. (Americans: that’s when your team kicks the ball into your goal, and is generally regarded as a Bad Thing). Morocco, Egypt, Poland, Russia, and (most spectacularly) Brazil gave a lowlight reel worthy of “Yakety Sax.” It’s the most self-inflicted losses in World Cup history, and no one seems to have a good grasp as to why.
Our culture has peaked.
What does this have to do with breaches? If you think about it, easily preventable breaches are the data equivalents of an own goal. I’ll give you a good example. Earlier this month, Sony Pictures Studios released a YouTube trailer for an upcoming film “Khali the Killer,” a standard bid to drive enthusiasm for the release. These direct-to-web trailers avoid the need for costly television airtime and, when paired with data analytics, can be targeted to viewers more likely to want to find out who Khali is going to kill.
One important trick to releasing a trailer, though, is to actually release the trailer and not the entire movie, which is exactly what Sony did. The movie was eventually withdrawn a few hours later, but the damage (both financial and reputational) had already been done.
This, to me, is a fine example of how many businesses approach data security, even after they have begun to claim the “GDPR Compliant” label. A little extra focus would have kept the movie off of YouTube, just like a little more focus might have kept student personal data secure. Organizational efforts alone may not solve all data security problems, but they definitely make things a little easier.
That’s why training is such a critical component of data security. We’ve said it before and will say it again: the biggest risk to the safety of your data is you. Unless your employees and leadership understand how to make data security a part of their every day work, it’s almost inevitable that there will be a bad linked clicked, a malicious script forwarded, or a phishing hook swallowed.
How do you train staff? It’s almost never a one-size fits all proposition, which means that you’ll need to find a way to tailor a training regime to your industry, your company size, your technology, and your location. More than that, you have to find a way to create (or deploy) a training program that will prioritize the highest-risk issues you face.You have to create a hierarchy of risk and start the program at the top. Obviously, avoiding insider theft or catastrophic hacks are important, but if you spend all your time training the entire company how to detect an incoming DDoS attack and zero time explaining why an email from the CEO to a mailroom clerk is probably a spoof, you’ve wasted your energy and resources.
Maybe I can propose another metaphor for breaches caused by a lack of training. There’s a scene in Ronin where Sean Bean (before he was Ned Stark) is planning an ambush operation with a group of former spies, including Robert DeNiro at his lip-pursing best. Unimpressed with the plan, DeNiro gets in Bean’s face, pushes him backwards, and Bean stumbles backwards over a mug of coffee DeNiro had placed there a few minutes before, leading to the memorable line, “You talk to me about an ambush? I just ambushed you with a cup of coffee.” It’s the little things that can easily trip you up, but it’s also the little things you can learn to control, or at least manage. Data security training (and DataSmart planning) is about recognizing the details that can make the difference.