Security is no longer a function that can be restricted to just one group within the organisation. Up to now, the IT department has been afforded the luxury of seeing themselves as the guardians of corporate data, shielding the innocent employees of the organisation, behind the scenes and without their knowledge.
This heroic picture gave some IT teams the right to restrict the flow of data in the name of keeping the organisation safe from outside malicious forces, like some sort of corporate CIA.
The current trends in IT deployment show this delusion to be just what it is. On one hand, market forces are putting pressure on many organisations to make more use of data and free up access to it to an increasing number of employees.
On the other, the growing use of mobile devices means corporate data is legitimately moving outside the firewall. A small number of IT staff cannot possibly police the movement of data in this way.
Huge strides are being made with embedded security - putting protection in the device as we move towards deeper integration between software and the chip. But the end user remains the weak link, and as such IT teams may justifiably argue that data has to be restricted because employees are too careless with it to be trusted with its safety.
Even now, research shows that UK payment card fraud is up by over a quarter year on year.
Other research from the US has found six out of every 10 consumers re-use the same password for every online security check, allowing fraudsters much more access to their personal data, once that password has been hacked.
If people can’t protect their own data, what likelihood is there that they will make sure their employer’s data doesn’t stray into the wrong hands?
Clearly it’s important that employees become more aware of the dangers and the practices they need to adopt to avoid them.
There are increasing signs that the law will be changed to make organisations much more accountable for the security of the data that they hold about customers, even if that data is off the premises. It is reasonable to assume that this liability will be filtered down to individual employees.
The enterprise infrastructure may need to be altered so that the flow of data can be tracked to individual users more easily and at a more granular level.
If employees are aware that it is their responsibility to look after the corporate data they have access to, that they will be held accountable if it is lost and have agreed to this beforehand, they will very probably become less careless about leaving laptops in cabs and giving away passcodes to strangers in a bar.
Rather than adopting the role of the data-police officer, it is the IT department’s job to educate employees about the correct approach to individual responsibility for data security. This is the only way data can be distributed across cloud networks, to employee mobile devices safely, but with the agility to keep the organisation nimble, competitive and adequately serving the customer.