Data, for the most part of the past few decades, has always been something that exclusively belonged to the IT departments. They would acquire it, transform it, enrich it, enhance it, and shape it. In fact, they would even protect it for the organisation.
At least, so it seemed up until recent years, when data breaches have started to become frequent events and even started to wipe out large financial value.
As the level of complexity associated with data compounds along with technology evolution, the role of protecting data is beginning to go beyond the confines of the IT department and rightly so. After all business models and business processes are not confined to just IT departments.
In order to protect data, companies need to do more than just reinforce their IT departments. They need to invest in not just tools and technologies but indeed in reskilling their workforce for the digital age. And this reskilling is not limited to technologists alone. That’s one of the main reasons that data security is not just an IT matter anymore.
In fact, company boards need to be made accountable for data breaches, if digital age success is an aspiration.
In a June 2017, an IBM sponsored Ponemon Institute Research Report on the Cost of Data Breaches, three root causes were highlighted as reasons for data breaches.
They are as follows:
- Malicious or Criminal Attack
- System glitch
- Human Error
Forty-seven percent of incidents involved a malicious or criminal attack, 25 percent were due to negligent employees or contractors (human factor) and 28 percent involved system glitches, including both IT and business process failures.
As per the report, the per capita cost of data breaches due to malicious or criminal attacks was $156. This is significantly higher than the per capita cost for breaches caused by system glitches and human factors ($128 and $126, respectively).
Malicious or criminal attacks cause the most data breaches and this includes negligent insiders who are actually individuals who cause a data breach because of their carelessness, as determined in a post data breach investigation.
Incidentally, malicious attacks can be caused by hackers or criminal insiders, in the form of employees, contractors or other third parties. However, the most common types of malicious or criminal attacks include malware infections, criminal insiders, phishing/social engineering and SQL injection.
While System glitches are understandably very IT centred in nature, both Malicious or Criminal Attack as well as Human Error are both indeed more about the human element of data breaches.
And the best place to address the human element of data breaches is probably the boardrooms and certainly not the IT back rooms.