A recent survey from Dell found more than 70% of employees would send out confidential company information given the right circumstances. They aren’t doing this for malicious reasons – in fact, in most cases, employees are just trying to do their job. But malicious or not, it can still hurt your company.
Top reasons cited by survey respondents for sending out confidential information included:
- 43%: They are directed to do so by management. (That doesn’t sound terrible, right? But a common phishing attack is for a cyber-criminal to pretend to be a high-level employee at a company and email lower level employees asking for a wire transfer or for personnel files.)
- 37%: They are sharing with a person authorized to receive it. (This one may not be too much of an issue (key word is may). This bigger issue, in this case, comes down to HOW they are sharing the information. Are they sharing it using encrypted email or another secure method?)
- 23%: They feel the risk is low and the benefit is high.
- 22%: It will help them do their job more efficiently.
- 13%: It will help the recipient do their job more efficiently.
Let’s look at a real-world example of this: Last year, the personal information (including social security numbers) of 36,000 Boeing employees was exposed by an employee trying to get his wife to him with an Excel formatting issues.
In this case, the employee wasn’t trying to do anything malicious (in fact, he said he didn’t know the spreadsheet had employee information on it – those columns were hidden). He was just trying to get help with an issue. It doesn’t look like the employee information went any farther than his wife – while that’s certainly not great, it could’ve been much, much worse.
This kind of incident could just as easily happen at other organizations. What if this hadn’t been Boeing, but a hospital system-and instead of personnel information, it contained patient data? Or a major retailer and the spreadsheet contained customer credit card information?
What can you do?
So, what can you do to prevent your employees from sending out confidential company information (regardless of their intention) and putting your company at risk?
Give them the right tools
Dell also found that nearly half of respondents used personal email accounts for work (the numbers are even higher in small businesses and regulated industries). More than half of respondent use personal cloud services like DropBox to back up their work. The reason behind this is usually convenience – they don’t have the right tools (or they don’t know how to use them), so they turn to personal account to get their job done.
Give your employees the tools they need to do their job effectively and securely. They need access to reliable email and storage. If their job involves handling and sending sensitive data, give them encrypted email.
If they don’t have company-approved ways to do something (or if the company approved way is too cumbersome or unreliable), they’re going to find some other way. When that other way is outside the control of IT, you’re opening yourself up to risk.
Implement Data Loss Protection Policies
Regardless of what tools you use, you need to have clearly outlined policies for how to handle company data. Policies should include how employees should access company data (approved devices, approved apps and software, etc) and how employees should interact with company data (rules for sharing, backing up, etc).
Your employees should be trained on all policies and they should be strictly enforced, including consequences for breaking policy. It may seem harsh, but sending confidential information outside the company, even if your intentions are good, can put your company at risk.
Talk to your IT team – some policies can be turned on and enforced automatically. If you’re an Office 365 user, you can implement Data Loss Prevention policies in Outlook and other apps. These policies work to automatically identify sensitive information (like social security numbers and credit card information) and prevent it from being shared outside of your company. It’s customizable to fit your company’s specific needs and has built-in settings to help you meet compliance needs.
Train Your Employees
Train your employees on data security best practices. Make data security training part of your new employee onboarding and regularly re-train employees. We cannot emphasize this one enough. In fact, if you only have a small budget to spend on data security, this is usually where we recommend you start.
Your employees are your first line of defense and potentially your biggest weakness. All it takes is one employee fall for a phishing attack or clicking on a bad link and your company is compromised. Dell found that only 36% of employees feel very confident in their knowledge of how to protect sensitive information. That’s just not good enough.
Your employees also need to be trained to use the company-provided tools to do their job. You can give your employees all the best apps and software to help them work productively and securely, but if they don’t know how to use them, they’re still going to use their personal DropBox account or send an Excel file to someone outside the company to get help with formatting issues.
Most employees just want to be able to do with job. If you don’t give them the resources to be able to do that, you’re potentially putting your company at risk.