A 2017 Dell end-user security survey has found that over 70% of employees would send confidential information under the right circumstances. They aren’t doing this for malicious reasons; in most circumstances, they are simply trying to do their job. Malicious or not, actions like this can jeopardize your company’s reputation and cause irreversible damage.
Dell polled over 2,600 professionals who handle confidential data at companies with 250 or more employees:
Top Reasons for Sending Confidential Information
Dell found that employees in the financial services industry, over 80%, were the most willing to share sensitive data under certain circumstances. While many of the reasons are perfectly legitimate, likely even more so within the context of their responsibilities, they are a clear signal that most companies need to train their employees in how to properly handle and transmit sensitive information, and ensure that proper policies are established and enforced.
Direction from Management
43% of individuals polled would share sensitive information if directed to do so by management. This doesn’t sound bad at first, but phishing attacks that involve posing as a high-level employee at a company asking for sensitive information happen quite often, and the practice of actual staff giving similar direction poses as much as or greater risk – not only for data leakage based on genuine requests, but from fraudulent ones as well.
Sharing with an Authorized Person
37% would share information with a recipient who is authorized to receive it. While it may be perfectly acceptable to provide the recipient with the data being requested, how is the data being sent? Is it being sent via a secure method, or at least encrypted prior to being sent? If not, the risk of data leakage still remains as others may obtain access to the information once it has been sent.
Perceived as Low Risk
Nearly 1 in 4 polled were willing to send confidential information if they perceived the risk to be low and associated benefit high. When transmitting confidential information, particularly information that is proprietary or contains personally identifiable data, one should always err on the side of caution.
Enables Them/Others to Perform Their Job
22% responded that sending confidential information enables them to perform their job more effectively, while 13% responded that doing so enables the recipient of the information to perform their job more effectively. This is just as risky as the other reasons that have been cited; one misstep could lead to termination, legal issues, or damage to the business’s reputation – and in any of these scenarios, you probably won’t be working there anymore.
Even more alarming, the poll detailed the most insecure ways employees choose to share sensitive information.
Nearly half have admitted to engaging in “unsafe behaviors” including connecting to public Wi-Fi to access and transmit confidential information, using a personal email account, or losing a company-issued device.
How to Reduce Risk
With an understanding of the reasons why employees share sensitive information, what can be done to prevent data leakage and the associated risks?
Provide the Right Resources
Nearly half of the individuals polled by Dell admitted to using personal email accounts or cloud services for work. Quite often, the reason for this is convenience or a lack of appropriate tools in the workplace. Provide your employees with the tools they need to perform their jobs effectively and securely. If an employee’s job involves handling sensitive data, provide them with a means to encrypt their email.
If an employee has a task to accomplish, and there is no defined or company-approved way to do so, they’ll find a way to get the job done – and potentially open your business up to risk in the process.
Implement Data Loss Protection Policies
All businesses that handle sensitive information need to have clearly outlined policies on how to properly handle their data. The policies should include how employees access and transmit the data (approved company-owned devices, applications, etc) and how the it should be stored.
Employees must be trained on all policies and they should be strictly enforced – including consequences when they are broken. While this may seem a bit excessive, it’s in the best interest of the company and employees.
Speak with your IT services and support provider (or us) about policies that can be enforced on your network. If you are using Microsoft Office 365, data loss prevention policies can be applied to Outlook and other applications. DLP policies will automatically identify activity around sensitive information and prevent it from being shared outside of your company.
Train Your Employees, Rinse, Repeat
Appropriate resources and data protection policies are great, but won’t be utilized unless they are fully understood.
Train your staff on data security best practices from the very start of their employment by making it a part of the on-boarding process. Make sure that they understand how to use the resources provided to them, and the importance of their use in order to reduce risk.
Most importantly, ensure that your employees are re-trained on a regular basis to ensure that they are up-to-date with the latest policies and resources made available to them. Your staff want to be able to do their job and meet your expectations; it’s up to you that they are able to do so while minimizing risk.