The reality is, if you manage or have access to personal and sensitive data, you have the potential to play a role in an information risk event and an annual ‘tick and flick’ eLearning module preaching compliance obligations for IT Security and Privacy doesn’t improve your chances of not having to deal with a breach. The results of the first OAIC report on data breaches are highlighting a common shortcoming on the part of a significant number of Australian businesses who have not yet managed to mature their people and culture strategies when it comes to cyber and information security.
The huge data expansion in recent years has accelerated the need for more appropriate measures to be put in place. The sheer volume of personal and sensitive information held by companies today is much larger than ever before and is compounded by the electronic means by which we store, share and collaborate, increasing the risk of it being inappropriately shared either accidently or deliberately. It can be as simple as someone drawing out data for reporting and sending an attachment to the wrong email address. It is important that businesses large and small acknowledge that if they hold personal and sensitive data that is important to them and others, they have a data breach risk, and therefore the reputational and financial risks that accompany it.
In an attempt to minimise risk and contain the growing ‘human error’ factor, organisations need to educate their staff and design engaging employee education programs to boost awareness about information security. Unfortunately it is often only in response to a breach that organisations take these crucial steps. We need to stop calling people our biggest threat and start seeing them as our biggest opportunity to make some tangible inroads into cyber safety and awareness.
Digitisation of information has made our working lives so much easier, but it is not without risk. IT and HR teams are increasingly working together to promote a strong security culture within their workforce and we should see more of this trend in coming years. If the OAIC report shows us nothing else, it is that we need to be better at taking our workforce along on the cyber ride that many of us have been on for a long time already.