Organizations have a responsibility to protect their employees’ personal data. But how can they be expected to succeed if the employees themselves are not well-informed about security best practices or given the necessary tools to secure their data?
Employees may heedlessly scatter their sensitive data across drives, devices, emails, and documents – often in the most overt locations. Should this information fall into the wrong hands, it could result in a serious data breach. It’s not just the incidents themselves that we need to worry about either, but also the potential fines that could ensue. The GDPR, for example, makes no distinction between breaches that involve employee data, and those that involve customer data.
We cannot really blame the employees for not understanding the implications of failing to store their personal data securely. After all, most of us have lots of confidential information that we need to store – whether that information be login credentials, bank details, passport scans, important memos, and so on. Not only that, but many employees make the natural assumption that the company has implemented the necessary security controls to protect the network from hackers and malicious insiders. The truth is, many organizations are still struggling to keep track of what assets they store, where those assets are located, and who has access to them.
A lot of companies are failing to implement the necessary security controls to enforce “least privilege” access. If you want a quick test to see how you are faring in terms of least privilege, take a little look at how many folders you have open to everyone in your organization. I’m willing to bet it’s far too many. Then there is the problem with BYOD – a growing trend where employees are bringing their own devices into the workplace. While there are a number of advantages of BYOD, if it is not managed correctly, it can it make it very hard for organizations to keep track of how sensitive data is being accessed and whether it is being accessed safely.
How to Ensure Employees Can Adequately Secure Their PII
The first, and most obvious step that organizations should take is to implement a robust security awareness training program. Employees must be aware of the risks associated with storing Personally Identifiable Information (PII) in an unsecured manner. For example, most employees are unaware that other users on the network might be able to access the PII stored on their device.
It is imperative that companies know exactly what data they store, and where that data is located. There are data discovery and classification tools available that can automate the process of identifying and classifying sensitive data. Data classification will make it a lot easier for companies to prioritise and allocate resources more effectively. Additionally, any data that is no longer required should be deleted as soon as possible. Organizations must maintain an inventory of all devices connecting to the network and use Mobile Device Management software to ensure that any sensitive data is encrypted or deleted in the event that a device gets lost or stolen. Controls must be implemented to ensure that data is never sent to a device that is not on the list of authorised devices, and companies must also reserve the right to inspect work-related emails.
Employees would naturally prefer to store their sensitive information in a single place, and this is not necessarily a bad thing. What’s important is that this information is stored securely. With regards to login credentials, there are a number of tools available to help us remember and secure our passwords. For example, most modern browsers have a basic password management system built into them, and the stored passwords can be accessed on multiple devices. There are also various browser extensions which do a similar job. Other commercial tools include 1Password, Dashlane, and LastPass.
Finally, organizations must have the solutions necessary to enforce “least privilege” account access. Employees should only have access rights to the data they need to perform their duties. While it is possible to do this manually, there are a number of affordable solutions that can make this task a lot easier. For example, LepideAuditor enables organizations to review current access permissions via an intuitive console, which includes details about how permissions are granted, and when they are changed. Such solutions can significantly reduce the risk of employees’ personal data being compromised by hackers or malicious insiders.