According to a survey conducted by Cisco, “In the past two years, more than 250 million confidential records were reported lost or stolen”, and many of these incidents were perpetrated by insiders. That’s not to imply that your staff members are crooks, they’re often just careless or ill-informed about the consequences of their actions. To make matters worse, broader data access methods and transportability of data are creating even more opportunities for organisations to haphazardly flaunt, or misallocate their data. Of course, this is becoming a major concern for most businesses.
The loss of certain intellectual property, such as business plans, financial data, and information about potential mergers and acquisitions, could seriously tarnish a company’s reputation, and threaten their competitive advantage. On top of which, failure to comply with the relevant data protection laws and regulations can lead to pretty hefty fines, and these fines will go up once the GDPR has come into effect. It is clearly very important for organizations to understand the common mistakes employees make that lead to both the leakage and loss of sensitive data.
Below are some examples of the type of employee behavior that may lead to data leakage:
Using Applications Without Authorization
- The use of personal email accounts is the most common example of unauthorized application use.
- The use of online banking/shopping and instant messaging also presents a high risk of data loss/theft as such application use is rarely monitored or compliant with the company’s security policy.
- Such application use also exposes the company network to malicious websites, thus increasing the risk of an attack.
Misusing Corporate Computers
- Employees often undermine security policies by sharing work devices and sensitive data with non-employees.
- Employees sometimes bypass security settings to download apps, music, porn and participate in online gambling.
Accessing Both Physical and Network Facilities Without Authorization
Workers sometimes allow unauthorized individuals to enter a facility and move around without supervision. The unauthorized individual is then able to steal information and resources. This is referred to as “tailgating”. Likewise, employers themselves are often the main perpetrators of such theft.
Working Remotely in an Unsafe Manner
- Remote workers widen the potential risk of data loss by transferring files from a work device to a home computer.
- Transferring sensitive information using unsecured communication channels could increase the chance of data theft.
- Employers should avoid talking about confidential company matters in public.
- Employers should use a laptop privacy screen to prevent prying-eyes from catching a glimpse of sensitive information.
Misuse of Login/Logout Procedures and Password Policies
According to CISCO, “at least one in three employees said they leave their computers logged on and unlocked when away from their desk”. Likewise, many staff members store their login credentials on their devices, or on paper left on their desk, etc. Organizations need to regularly inform their employees about the importance of logging out of their devices and keeping their credentials safe.
It is important for organizations have a clear understanding about why employees choose not to comply with security procedures. The CISCO survey revealed that 44% of employees would share information in an unauthorized manner as they “needed bounce ideas off people”. 30% said they “needed to vent”, and 29% didn’t believe they were doing anything wrong. Sometimes employees just ignore security protocols to view an unauthorized website – believing that no one would find out. It is often the case where employees share their work device with family members, as it’s cheaper that buying one for themselves. Unhappy or disgruntled employees may intentionally put company data at risk. Another common problem is that employees often prefer to use their own personal email accounts, even if doing so violates company policy.
There is no magic bullet when it comes to preventing data leakage. Employers often put too much of their faith in technology alone. It is important that organizations focus on processes, policies, and education before investing in technology. On top of which, it is important that employers keep a close eye on suspicious behavior exhibited by their employees.