The “Office of No” isn’t just unpopular – it’s actually making the enterprise less secure.
According to TELUS and the Rotman School of Management at The University of Toronto’s fifth annual study on Canadian IT Security, enterprises that say “no” to new technologies in an effort to reduce risk are in fact less secure than enterprises that adopt responsibly, according to a press release posted by The Sacramento Bee.
The study took a qualitative approach, interviewing security leaders from across the country in a variety of industries to capture personalized insight about the security issues that keep them up at night. Four key security-related concerns were revealed:
- Has my organization been breached, and I don’t know about it?
- How will a breach affect my brand?
- What are my employees doing with corporate data?
- How do I retain my security resources?
In exploring these, several insights emerged, the press release says:
- A pervasive sense of vulnerability: Most Canadian security leaders believe that a security breach in inevitable and lack confidence in their organizations’ ability to detect the breach and mitigate damage.
- People are the weak link: Whether through ignorance or malicious intent, people post the greatest risk to Canadian enterprise security, which puts a spotlight on the need for awareness and education.
- “Yes” organizations are more secure than “no” organizations: Organizations that adopt innovation or new technology responsibly are more secure than organizations that use rigid IT security controls to limit innovation adoption. “No” organizations tend to operate with a false sense of security, the study finds, because employees often circumvent controls to access technologies they deem critical to productivity, leaving the organization unaware and at risk
The study suggests ensuring employees understand how to use new tools responsibly, and that adherence to the security policy is made to be convenient and simple, the press release says. Ongoing training for security awareness helps to ensure compliance.
Also, the Rotman and TELUS team offers five recommendations:
- Don’t assume you haven’t been breached.
- Security diligence must be ongoing.
- Compliance is not the same as security.
- Organizations should work to be “yes” organizations.
- Awareness training is key.