In last week’s post, we discussed why a company should have a security policy that addresses protecting the personal identifying information (PII) of customers and employees alike.  But information security policies are only as good as their execution by employees and administrators. Implementation of the information security policy, like all new ideas in group settings, requires buy-in by those who will participate – without it, the policy is mere words without deeds.

By default, all effective policies have consequences – but what is really needed to implement a cultural change, one that recognizes security as not just a necessity but a value to be pursued, is a re-tooling of purpose. Privileged information such as employee records, customer records, and vendor records are, in some ways, merely byproducts of doing business.  But what would happen if the proper care, maintenance and destruction of those records are part of the business model defining success?  A new vision of “profitability” is created.  We at Kroll like to say that PII should be treated as if it were money, because a breach can be financially costly to a company.  When employees learn to treat PII like money, internal breaches will be far less common.

How does a company motivate employees to grow from a compliance mindset to an advocacy mindset? Personalizing the relationship by making employees custodians of information, not merely users of information, is a most important goal for employers who are serious about data protection. One way to achieve that goal is to emphasize group responsibility. The employer’s goal must be to incentivize all employees to recognize the importance of safeguarding vital information. Collectively, the company or business evolves into a trusted custodian of personal information.

A simple way to start incorporating breach protection and data security is to think of data protection as a 2 by 2 matrix composed of the top axis being internal causes of data loss and external causes of data loss.  Running along the vertical matrix is intentional and unintentional causes of data loss.  Have employees discuss their use of PII during the normal course of a business day.  If a procedure is perceived to be a threat for data loss or theft, it should be placed in the proper square.  Together, the managers and employees will discover for themselves where procedures can be changed to enhance data security.

By Ross Peiser

Tags: data protection awareness, data security tips, PII, privacy policies, tactics to enhance data security

Categories: Data Security Issues, Data Security Planning.