The recent story on Booz Allen’s exposure of sensitive government information is a good reminder that making employees aware of likely cyber threats is only ONE part of a comprehensive security awareness program. The other part? Teaching your users how information security policies apply to them.

We don’t know what led an employee (or employees) to place government data in public cloud storage. I often wish we could dig into the “WHY” as in it lies the problem to be addressed. Was it ignorance? Was it malicious intent? Perhaps it was actually fulfilling a business need but lacked proper oversight.

The Circle of Trust

At Cyber Safe Workforce, we teach a concept called The Circle of Trust. It focuses on placing work information in work-approved locations only and why it’s important. There are countless stories of employees copying records to their personal e-mail accounts or placing large files in personal cloud storage. In most situations, the employee believes they are doing the right thing by creating solutions to complete their tasks without bothering IT. Data is not placed outside of the workplace for personal gain. When users install software without IT oversight, it’s called “shadow IT.” With The Circle of Trust concept, we let users know the dangers of this–potential breaches that cost the company time, money, and goodwill with clients.

Fearing the Unknown

A couple of years ago, I was speaking with a CISO of a university whose greatest fear was that he simply did not know where all of the university data lived. Sure, they had protections and monitoring around their known databases and information systems, but what about the shadow IT, spreadsheets, and other documents living on an end-user’s system? This data may have been there for years… the owner has probably forgotten about it. However, a breach of that user’s system could bring it to light and register a loss for the university.

At the end of the day, the unknown cannot be protected and monitored.

Keeping track of the information and its flow through the organization is a hard task–no bones about it. With more and more organizations using cloud infrastructure, someone has to track where that data lives. And someone has to audit its protections and monitor it for unauthorized access or tampering. If you didn’t build your IT from the ground up or weren’t there since the beginning, if processes and auditing are not in place, a significant challenge exists to find and monitor your organization’s data.

Having the discussion about appropriate storage locations and transmission of information is a key concept of security awareness. Work with departments to identify their non-public information and its workflow. Then, work together to make sure the proper protections and monitoring are in place. Each department may need its own dedicated data custodian/owner, data classification guide, and training materials on proper handling of information. When the organization is “cyber aware,” the need for these activities is justified in users’ minds.