How to Create a Total Security Culture in Your Organization

1. Changing the stakes: the effect of legislation on security programs

The eminent threat from fraud artists who benefit by stealing vital business and personal information makes your organization’s confidential data vulnerable to security breaches – potentially exposing your customers, clients or employees to identity theft and fraud. As the recovery from the economic recession is just starting, organizations may still be reluctant to increase or even sustain their security budgets. In fact, according to a 2009 survey by TELUS and the Rotman School of Management, Canadian organizations have reported an average security budget decrease of 10 per cent. The question arises: are the scaled down security measures enough to deal with the growing threats of security breaches?

“The high-security culture does not necessarily mean an increase in budgets or more efforts,” says Michael Skidmore of Shred-it. “In many cases, it simply means changing your processes and thinking differently. The first step towards a culture of high security, so critical to the integrity of any organization’s confidential data, is to understand the big picture of the organization’s typical security risks and then assess the best way to address them.” 

2. High-security culture starts with the correct assessment of risks

While each and every organization has unique security challenges, the top five security concerns among Canadian organizations, according to the 2009 TELUS and Rotman survey on security breaches, are related to:

• Disclosure or loss of confidential data

• Compliance with Canadian regulations and legislation

• Business continuity and disaster recovery

• Loss of strategic corporate information

• Employee understanding and compliance with security policy

… and flows from top management

A lack of a strategic security planning, combined with weak or inconsistent implementation of an organization’s security policies and procedures, creates an organizational environment that is more susceptible to security breaches. The culture shift towards total security, therefore, should start at the very top with the adoption of high-security strategic thinking amongst the senior management team, who can then push it down the organization in the form of effective security policies, processes and values.

3. "Insider Breaches" - why security concerns have shifted “inside”

It may come as a surprise to many that insider access to sensitive data, including customer and employee records, is a key organizational security concern, potentially leading to identity theft and fraud. According to the TELUS-Rotman survey, 17 per cent of Canadian organizations reported so-called “insider breaches” in 2008, and that figure doubled to 36 per cent in 2009. Similarly, unauthorized access to information by employees has increased in 2009 by an alarming 112 per cent, and is the fastest-rising breach category.

These figures point to the conclusion that organizations need to turn inward when dealing with security threats. Consider who has access to sensitive information in your organization. Given that employees with “access” are most closely related to potential risks for leaked or lost data, stringent access policies should be in place and followed rigorously. While there are no sure-fire methods for preventing security breaches from within, there are ways to reduce the threat – and creating a total security culture is one of the key components of any successful strategy.

4. Effective security solutions eliminate the risks at the source

Any solutions to the risks of security breaches should be based on a holistic, integrated perspective on document security throughout the document lifecycle across an organization. In other words, documents should be protected from the moment they are created until the time they are no longer needed. The TELUS and Rotman survey reported that the focus in Canada has predominantly been towards after-the-fact security activities, dealing with breaches as they happen or testing the effectiveness of security features that are already in place. Instead, organizations should look to the future as an opportunity to develop approaches and concepts that are strategic, integrated and long-term, such as eliminating security risks at the source and permanently securing the entire document lifecycle across all organizational units.

One of the most effective ways to prevent security breaches from either inside or outside an organization is by implementing “shred all” policies. A “shred all” policy will make sure that all documents are fully and securely destroyed on a regular basis.

The cultural shift should change from reducing to eliminating security loopholes throughout the lifecycle of the document. Rather than “disposing” or “discarding” of confidential data that is no longer needed, employees should be trained in the values of “destruction at the source”.

5. How to create a total security culture: practical tips

A culture of security is about educating employees about the importance of secure document management and destruction. The attitudes and values reflected in your organization’s security strategies, policies, procedures and overall security thinking are the foundation of this security culture.

The tips from Shred-it below will help you build the culture of total security in your organization:

• Identify all potential risks that may threaten the security of your organization’s confidential information, including customer, business and employee-related documents.
• Examine the document workflow and lifecycle, from data generation and storage to data transfer and, finally, document destruction; analyze both electronic and paper-based sources.
• Create a comprehensive information security strategy.
• Develop security policies that are compliant with national identity theft and privacy legislation.
• Restrict access to confidential data, in electronic and paper form, based on specific business needs of specific categories of personnel.
• Train your staff in secure document management and destruction; implement “shred-all” policies and “destruction at the source” values, making sure all paper documents are securely destroyed on a regular basis.
• Build an organizational culture that values and respects confidentiality and privacy.