We’re now living in the data economy, so you can’t afford to neglect the possibilities of employee actions causing data leakage.
Sometimes this can be malicious; it’s been estimated that one-quarter of employees will take or share sensitive company information when they leave their job. The findings of a 2016 Biscom survey of 600 employees in seven industries show that employees are the greatest risk when it comes to data theft. The survey also found:
15 percent of respondents said they are more likely to pilfer files if they’re fired.
85 percent of those who take data say it’s material they created, so it isn’t wrong.
Only 25 percent of ex-employees took material they did not create.
That’s not to say all such incidents are malicious; poor processes and insecure systems can also lead to inadvertent data loss, even when employees are doing – or trying to do – the right thing.
And as we all know, the costs of a data breach can be high, both financially and in terms of your business’s reputation. It pays to be vigilant.
A fixable problem
About 95 percent of respondents said taking data was possible because:
Their employer didn’t have policies or technology to stop them. The company ignored its policies. That’s good news because it means there’s something you can do about it right now if you fall into either of those camps. Here are five tips for getting your data security in order.
Most survey respondents didn’t accept the categorisation of their actions as “theft”. They don’t think taking company data is malicious or even just wrong because—in most instances—they’re taking something they created; they see themselves as co-owners.
Education can go a long way to addressing this aspect of the problem. Talk to new employees about data protection, security and ownership of intellectual property. Schedule regular communications around this to keep the message fresh.
Where you have policies governing data handling that are clear and comprehensive, you’ll reduce the problem. Put those policies in employment contracts and as noted above, make sure there are periodic reminders.
Your policies should address issues including:
using personal devices to create company data using consumer file sharing and collaboration tools. The range of tools survey respondents used to take information ranged from flash drives to Dropbox to simple printing. It’s hard to track data traffic like this without effective governance, so make sure your policies, procedures and penalties are up to scratch.
Establish data classification and access permissions. You don’t want to stifle productivity, but there’s no reason to give access to people who don’t need it. The principle of least privilege is a good rule of thumb.
Moving to the cloud requires special vigilance with tracking permissions and user access. Even keeping a spreadsheet that lists every employee’s access, tools, and apps can help, but an automated system, with proper governance and security controls, is even better.
Watch for the unusual. Set up alerts for movements of unusual amounts of data or activity at odd hours. On the technology front, tools like network sniffers, intrusion detection and prevention systems and other monitoring hardware and software can keep you alerted to what’s moving into, through and out of your systems.
The survey suggests that some theft—or attempted theft, at any rate—is inevitable. You should prepare for when, not if.
Decide now on how you will respond in the event of an attack or in the event an employee who is leaving the company might be disgruntled. Employees were 22 percent more likely to steal company information if they were fired under “bad circumstances”. So treat your staff well if you want them to be happy and stay, or to leave without incident. It’s not just morally right, it’s also good business.