Trust, but verify: A modified Zero Trust standard applied to your personnel
By Vanessa Harmon Gouhin
Director of HR
Columbus Business First
An organization’s data-bearing devices, and the data contained thereon, are under constant attack. The result had been significant daily data breaches – literally. Just this past year, an 88% increase in business security threats or incidents has been reported.  Much of this attack activity is directed at an organization’s personnel, and the prolific provisioning of access to resources, as well as the variety of users of data bearing devices, has directly contributed to the continual rise.
This real fact dictates that in order to achieve an optimal level of data security within an organization, it is critical to apply a Zero Trust standard to all employee actions – at least a modified version. Our suggestion then, to echo the words of President Ronald Reagan, “Trust, but verify.”
This may sound harsh at first blush, but in reality it is important for the protection of the very people to whom the standard is being applied. Employees are enticing targets to criminals because of their access to company and client data – most often via data-bearing devices. “It is well established that employees are the intrinsic cause of a majority of data breaches occurring in every industry today,” says Sean Gouhin, EVP and chief corporate counsel at TechR2, LLC, a Columbus-based data security company.
“At TechR2, we advise our clients to implement and adhere to a Track-Contain-Destroy-Verify policy – commonly known as Tear-A-Byte – when it comes to loose-media maintenance thereby all but eliminating any such employee risk. Risk assessment, training, certification and written plan implementation are critical components of the policy,” he said.
Security hygiene is of utmost importance and a sound protocol that tracks, contains, destroys and verifies proper handling of data-bearing devices, as well as the data contained therein, ensures employee clean hands. Periodic monitoring via risk assessment, reconciliation, auditing, reporting and review maintains the integrity of the program. Such protocol adheres to the Zero Trust policy and serves to protect not only the organization, but as importantly the people that make up the organization. By removing the risk altogether, trust logically follows as any chance of collusion or negligent breach is mitigated. Verification is then used to formally confirm what we already know.
In today’s threatening environment, every business should be motivated to invest in state-of-the-art data security solutions and employee training. Such training is a key element for the protection of your employees and for the establishment of a company’s cybersecurity framework. Otherwise, you are exposed to ever-increasing fines, penalties and punitive punishment of rules and regulations the likes of GDPR, HIPAA, PCI, California’s soon-to-be effective Consumer Privacy Act, etc.
Technology threats evolve daily and today’s businesses cannot account for as much as 70% of their data-bearing devices. The employees in possession of these devices (and the data) are the most critical layer — the last line of defense — with multiple access points which are at risk.
Protect your employees. Trust in your employees. But always verify. A policy that implements Track-Contain-Destroy-Verify procedures will mitigate the human vulnerability factor. Trust, but verify.
Learn how TechR2 can help protect your business.
 AT&T 2018 Cybersecurity Insights, “Charting a New Course.”
Vanessa Harmon Gouhin is a licensed attorney and serves as director of HR at TechR2, LLC. Harmon Gouhin is a premier authority on data security solutions as applied to organizational behavior and human resources, and has been published on the subject matter.