Over the course of 2015, many major companies suffered highly public data breaches, not just internationally, but locally as well. For example, Australian retailers Kmart and David Jones both had customer details stolen by hackers late last year. Aussie Farmers Direct also fell victim to an attack in which the personal details of more than 5,000 customers were posted online. Even governments have not been spared with the breach of Queensland TAFE data in October. Most recently, online classifieds website, Gumtree had its users’ contact details compromised.
What all these cases demonstrate is how a single incident can put an entire organisation at the centre of an unwanted media storm.
Before even considering the potential legal ramifications that could soon become reality with the introduction of the proposed amendment to the government’s data breach notification bill, the diminished customer trust and the financial costs associated with a data breach can be equally concerning. Whatever the business, customers want to know that their personal information is in safe hands and they will think twice before entrusting it with companies that don’t have a positive track record in this field.
So, how should organisations proceed after experiencing a data breach?
The knee jerk reaction: Draconian data policies
While data breaches themselves should be a board-level concern, it’s becoming increasingly important for businesses to look at the broader impact that they can have. When a company or a competitor suffers a breach, often the first priority is to review how the overall business handles its data. However, the danger here is that a knee jerk reaction can result in draconian policies being implemented, severely curtailing employees’ use of data. In this scenario, the entire workforce can lose data flexibility and this can impact productivity if the company decides, for example, to limit access to critical information through mobile devices, or restrict employees to work anywhere other than directly in the office. In addition, a hasty reaction to a data breach could potentially have a negative impact on employee morale. This kind of atmosphere where no-one knows what they can or can’t do with company data can result in further mistakes being made.
The data-led approach
Changing employee behaviour regarding data use will only occur through following a data-led approach to business, not just at management level but throughout the entire company. This means praising teams that have shown good data-centric initiatives, to equipping employees with the tools they need to embrace flexible and mobile working strategies. There is a lot executives can do to dispel the common fears surrounding data; however that doesn’t mean the risks should be ignored – they just need to be managed properly.
There are three key ways that data risk can be addressed:
- Policy: which sets out how data and devices can be used and allows employees to clearly
seeunderstand when they’ve breached the policy.
- Training and education: to address one of the common causes of a breach – the human element. This training has to be engaging, relevant and tailored to employee’s roles for it to be truly effective.
- The technology: that a company uses to protect the business if and when a data breach occurs. The key is being able to prove that all compliance processes have been adhered to and to securely track and disable any device involved in the breach.
Ultimately, a business’s attitude to data needs to be set from the top. A company culture that is scared of data and isn’t prepared to embrace a modern way of working will always lag behind its more forward thinking competitors. This information, in all of its forms, is one of the most powerful assets an organisation has. An intelligent, flexible and secure approach to information management will ensure businesses can make the most of its data, and guard against potential risks.