Executives understand the need for data security. Now what?

After a barrage of high-profile hacks, most business leaders get it: Data security is critical not just to their reputation but to their business. But the top level executives still struggle to understand the next steps in protecting their businesses.

That’s the finding of a recent survey conducted by Dell of over 1,000 decision makers at top companies. More than three-quarters reported an increased level of conversation about cybersecurity within the C-suite.

For those concerned about data security but unsure what to do next, Brett Hansen, the executive director of Dell Data Security Solutions, and Michael Kaiser of the National Cybersecurity Alliance offered some practical action items at a talk at this year’s SXSW Interactive festival in Austin, Texas (watch full video).

The first recommendation: Set an example from the top and make security a visible priority. Take a cue from the construction industry, for example, where signs on the front doors of work sites tally the number of days since the last accident.

“You need to create that culture within the organization,” said Mr. Kaiser. “When the C-suite talks about cybersecurity, then everyone talks about cybersecurity.”

Other recommendations:

• Inventory your data. Ask your team: What do we have, where is it, what is more important, and how will we protect it?
• Create a culture where it’s okay to come forward and say “I think I clicked on a link I shouldn’t have.” Thank employees for self-reporting.
• Teach employees about spear-phishing and other risks.
• Purposefully create security issues – that are carefully contained — and offer prizes to employees who find them and report them.
• Let people use the devices that allow them to be more productive — but do so only after thinking through how to manage your employees bringing their own devices, for example.
• Put conditions on access to data. Like the old James Bond cliché, keep data on a “need to know basis.” And look into a new generation of tools that offer contextual access control, meaning an employee sitting at the office behind the firewall will have more access to files than when she is sitting at the airport on public wi-fi.
• Adopt the five-part cybersecurity framework (pdf) from the National Institutes of Standards and Technology.

These considerations are just as important for small businesses, which represent a growing portion of cyberattack victims (for more on this, watch a second talk between Dell’s Hansen and NCSA’s Kaiser).

A company’s conversation around data security cannot just be about technology, it must involve people and their behaviors, said Mr. Hansen, who works with business leaders to shore up their security posture.

“Ninety-five percent of breaches originate with us, the end users,” he said. “If you are not talking about people, and how they work, and how their work is evolving with mobility, cloud, and collaboration, you are not having a true cybersecurity conversation.”

These talks were part of a series of discussions hosted at Passcode's booth at SXSW. See all that Passcode, Dell, Mozilla, and the Center for Democracy and Technology were up to at SXSW and watch the other talks.