The federal government’s recent $500-million investment in cybersecurity is an acknowledgement of the growing need for cyber protection not only in the public commons but in all aspects of Canadian life — including work and home.
Now, businesses need to take an equally hard look at their own practices and ask whether they are presenting a unified front against cybercrime. In my experience, to do so requires a comprehensive social contract, in which employees bear personal responsibility for security in order to reap its collective benefits. Yet, according to our recent survey, this contract is still less than settled.
The Citrix Cloud and Security Survey probed 1,505 Canadians on issues of personal responsibility and workplace security. As it turns out, there is still much confusion on whose court the ball is in when it comes to securing company data.
In terms of personal responsibility, 40 per cent of employees answered that, as an employee, they feel zero responsibility to ensure corporate data is secure. For IT managers and C-suite executives — those of whom recognize the drastic toll a cyber breach can take on a company’s value — that figure is less than comforting.
The consequence of this sentiment is intensified by the fact that employees often engage in unsafe cyber practices. Six in 10 employees surveyed have accessed personal or work data using public wi-fi networks, and half have been the victim of a phishing email or an online virus. Such a significant portion of Canadian employees undertaking risky practices with sensitive data increases the likelihood that companies will suffer a breach.
This is not to suggest that securing workplace data should be left up to the individual alone. In fact, workplaces have the most important role to play through proper policies, procedures and technology to enforce security from the top down. However, the security social contract must be such that the individual wants to buy in as well.
Executives must therefore develop proactive solutions from both individual and organizational perspectives to make security everyone’s business. There are three important components that executives should consider when bolstering their security social contract.
First, educate. Equipping employees with security training and education and highlighting the human factor improves the likelihood of security protocols being followed. Regardless of how secure a company’s workplace technology is, there are risks if employees are not fully up to speed on security protocols (which is the case with nearly one in three employees, the survey found).
Even the most tech savvy can benefit from security awareness. This cohort may in fact be the biggest security risk, since they are likely to spend more time on their devices, have the capacity to work around company security protocols and are likely to access company data on their personal devices for convenience.
The second priority is facilitate. IT needs to provide users with the right technology to help employees remain productive and deter them from using personal apps and devices to access corporate information. If employees feel burdened by workplace technology – whether the security features are making them feel too constrained or user experience is too complex – they will use shadow IT (unsanctioned workplace technology) to regain flexibility. IT must therefore ensure they offer tools that do not sacrifice convenience for security – rather, to find technology that supports both.
The final priority is update. IT needs to ensure that along with educating users on proper security protocols, they have the right security solutions in place that can help detect potential threats in real time. With the right technology, IT can limit opportunities for breaches from the outset and allow for quick resolutions. For example, if corporate apps and data are virtualized, they can be kept secure in centralized data centres, where the data is secure and IT can quickly patch and update apps on all devices.
While risks can never be eliminated completely, they can be mitigated to reduce the impact of threats and breaches. These guidelines support a security social contract that is beneficial from the employer and employee perspectives and protect the individual and organization from cyberattacks.
The needle on cybersecurity is moving in the right direction, and Canadian companies should take the government investment as a launching pad and implement their own comprehensive security strategies.
• Jim Willis is a director with Citrix Canada. He is a Canadian enterprise security expert with more than 20 years of experience in the tech and cybersecurity industry.