Creating a Risk Aware Culture for Data Security

Andrew Brown, UK Head of Business Development, Sims Recycling Solutions

The digital data security risk landscape is evolving as rapidly as technology is. While it’s impossible to predict what new technologies will emerge and when, organisations can still be ready for them. How? With a proactive, partner-focused approach to risk management, organisations can create the kind of risk aware culture that will guide them through these challenging times with compliant and sustainable data security practices.

In an ideal world, strong leadership and an enabled staff can combine to create an engaged culture focused on data security awareness. With management setting rules and leading by example, employees can confidently combine their experience and judgement to make the correct risk management decisions as situations arise. Getting to this point ­ where data security risk is constantly controlled and reviewed – is not impossible.  But it does seem to be an uphill battle for many organisations.

According to a recent HM Government Technical Report, 33% of organisations say that responsibility for ensuring data protection is unclear, and over one-third of respondents said they have not briefed their board on security risks in the past year- or ever. What is one result of this? Data breaches. The number of UK data breaches rose again in 2015, with 90% of large organisations reporting that they were affected.  Three-quarters of these breaches were related to human error, a troubling consequence when organisations aren’t risk aware in regards to data protection.

In order to decrease these numbers, it is important that all staff understand what data exists, where it’s held and how it’s managed. Everyone must understand that unsecured data can lead to identity, intellectual property and trade secret theft, or result in regulatory noncompliance.  While malicious attacks tend to be the headline grabbers, staff needs to recognise that there is also great risk when a data-bearing assets reach the end of their usable life. Sensitive information becomes vulnerable when computers, mobiles, networking equipment and other IT are disposed of. Hard drives need to be securely wiped by a certified, trusted provider who can issue a certificate of data destruction.  Only then can your organisation be secure in the knowledge that data risk management is being handled in a compliant and sustainable manner.

Data security awareness should be part of everyday business within the corporate culture. Staff at every level and in a range of departments should be engaged in and talking about risk so that everyone is enabled to identify the risks existing and potential risks. Once you are clear about your position in relation to risk, you can analyse, understand and implement actions to control it.