Top reasons cited by survey respondents for sending out confidential information included:
Let’s look at a real-world example of this: Last year, the personal information (including social security numbers) of 36,000 Boeing employees was exposed by an employee trying to get his wife to him with an Excel formatting issues.
In this case, the employee wasn’t trying to do anything malicious (in fact, he said he didn’t know the spreadsheet had employee information on it – those columns were hidden). He was just trying to get help with an issue. It doesn’t look like the employee information went any farther than his wife – while that’s certainly not great, it could’ve been much, much worse.
This kind of incident could just as easily happen at other organizations. What if this hadn’t been Boeing, but a hospital system-and instead of personnel information, it contained patient data? Or a major retailer and the spreadsheet contained customer credit card information?
So, what can you do to prevent your employees from sending out confidential company information (regardless of their intention) and putting your company at risk?
Dell also found that nearly half of respondents used personal email accounts for work (the numbers are even higher in small businesses and regulated industries). More than half of respondent use personal cloud services like DropBox to back up their work. The reason behind this is usually convenience – they don’t have the right tools (or they don’t know how to use them), so they turn to personal account to get their job done.
Give your employees the tools they need to do their job effectively and securely. They need access to reliable email and storage. If their job involves handling and sending sensitive data, give them encrypted email.
If they don’t have company-approved ways to do something (or if the company approved way is too cumbersome or unreliable), they’re going to find some other way. When that other way is outside the control of IT, you’re opening yourself up to risk.
Regardless of what tools you use, you need to have clearly outlined policies for how to handle company data. Policies should include how employees should access company data (approved devices, approved apps and software, etc) and how employees should interact with company data (rules for sharing, backing up, etc).
Your employees should be trained on all policies and they should be strictly enforced, including consequences for breaking policy. It may seem harsh, but sending confidential information outside the company, even if your intentions are good, can put your company at risk.
Talk to your IT team – some policies can be turned on and enforced automatically. If you’re an Office 365 user, you can implement Data Loss Prevention policies in Outlook and other apps. These policies work to automatically identify sensitive information (like social security numbers and credit card information) and prevent it from being shared outside of your company. It’s customizable to fit your company’s specific needs and has built-in settings to help you meet compliance needs.
Train your employees on data security best practices. Make data security training part of your new employee onboarding and regularly re-train employees. We cannot emphasize this one enough. In fact, if you only have a small budget to spend on data security, this is usually where we recommend you start.
Your employees are your first line of defense and potentially your biggest weakness. All it takes is one employee fall for a phishing attack or clicking on a bad link and your company is compromised. Dell found that only 36% of employees feel very confident in their knowledge of how to protect sensitive information. That’s just not good enough.
Your employees also need to be trained to use the company-provided tools to do their job. You can give your employees all the best apps and software to help them work productively and securely, but if they don’t know how to use them, they’re still going to use their personal DropBox account or send an Excel file to someone outside the company to get help with formatting issues.
Most employees just want to be able to do with job. If you don’t give them the resources to be able to do that, you’re potentially putting your company at risk.