As vigorously as many organizations are working to prevent them, data breaches are becoming more of a common occurrence, and the consequences are even bigger for organizations and the individuals whose data they hold in trust. As such, we need to get our terms straight, especially when it comes to the victim.
If your wallet were stolen, we would consider you the victim. Organizations that have suffered data breaches have often considered themselves the victim as well. However, the scenario of the stolen wallet is not an apples-to-apples comparison with a data breach because of one significant difference. The wallet is your property, but organizations retain the data of others, and they have an obligation to protect the information that is provided to them. When someone has an obligation or duty, and they fail to fulfill it, they are the malefactor, not the victim. The victim is the person whose data was stolen — the consumer, patient, or partner.
Data breach victims
Okay. So why must we define the victim, or why can’t they both be victims? The answer lies in assuming responsibility. Victims are not responsible for the negative situations they find themselves in, and organizations that consider themselves victims are not recognizing the responsibility they have to protect what has been entrusted to them.
This is a key factor in today’s culture of information sharing.
Protection cybersecurity culture
I use the word culture because this duty is not something that can be handed off to a single person or department. Neither can it be transferred or outsourced entirely to another party. This is the responsibility of everyone in the organization — from the representative collecting information to the receptionist answering the phone; from the janitor sweeping the floors to the machine operator in a factory. Even if you don’t directly interface with sensitive data, you may provide someone with the stepping stone to another person or resource leading to such information.
Consider the information your organization collects and work with as part of your job, and decide whether you are collecting more than you need or if the data you view is all relevant to the role. Some information could be removed or compartmentalized so that only pieces of the data are visible to those who need them. The concept of “need to know” for privacy has moved from being a recommendation to a mandate.
Consider also the way you and your teams interact with data, via smartphone, laptop, tablet or watch. We use these devices in public places where others might view the data or credentials used to access the data. Some access data over public networks where the information can be viewed in transit. In your daily life and in the course of normal business, you work with so much data that must be protected.
Let me empower you today. Don’t be a victim, be a protector. From today forward, see yourself as you are, an integral defense against the breach. Discuss this with your coworkers and leaders in your organization so that you can take the steps necessary to prevent the next one.