The virtual canary in the coal mine dropped dead in 2010. After years of warbling warnings about practices that compromised sensitive information and the risk of impending data breaches, it keeled over and landed, beak-first, in the dirt.
As hackers attacked companies like Experian, LinkedIn, JC Penney, Dow Jones and Sony, exposing private corporate information and the data of vulnerable consumers, the canary arose, zombie-like, with one final warning from the grave — the hack is coming from inside your office.
The Ponemon Institute is an independent research facility that frequently releases reports on privacy, data protection and information security policy. Through these independent studies and surveys, sometimes corporate-sponsored, sometimes not, they’ve been warning businesses about how confidential and sensitive data is used, misused and abused.
In their most recent report, Risky Business: How Company Insiders Put High Value Information at Risk (sponsored by Fadoo), Ponemon shines a light on the most insidious of threats — the employees and contractors that work inside your office, at your desks, on your network, every day. That’s right, the lifeblood of your business is also your most dangerous foe.
What does the Ponemon report have to say? Let’s break down some of the data on how employees are the worst thing to happen to businesses since the Sherman Antitrust Act outlawed monopolies.
Employees are the WORST
They come in late, they wear inappropriate clothing, they drink all the coffee and never think to brew another pot; employees are the worst. These behaviors may be annoying, but they’re harmless. In fact, employees don’t want to harm the business, it’s actually quite the opposite — they want to help as much as possible. However, by not knowing proper file sharing policies and being unaware of social engineering tactics, they can exhibit a level of carelessness that can be alarming.
Employees and other insiders often lack the information, conscientiousness, and guidance needed to make intelligent decisions about the information they have access to and share.”
Here is a list of ways that employees, unknowingly and often unintentionally, partake in opening your company and customers up to a data breach, according to the report:
- They share files and documents in an unsecured way, through unencrypted email accounts like Gmail
- They use free, cloud-based, commercial file sharing tools like Dropbox that are not meant for business use
- They access files on their home computers and personal mobile devices
- They fail to delete confidential documents or files that are no longer needed
- They share files and documents not intended for them
- They forward confidential files or documents to individuals who are not authorized to receive them
- Recent hires are known to bring proprietary information with them from their old companies to their new companies
- They’re especially susceptible to social engineering or phishing attacks
- If downsized, they can take confidential files with them on a USB to disseminate wherever they choose
Company insiders frequently do stupid things with confidential information.”
Data security is a topic we write repeatedly write about here because it’s so important and, yet, organizations are not moving quickly enough to protect consumers — especially hospitals and doctors, who have, ironically enough, taken an oath to do no harm.
The data that is most often leaked, according to the report includes trade secrets, new product designs, merger and acquisition activity, confidential business and financial information and employee data. All of this data is what keeps a company at the forefront of competitive markets; the loss of this information can be devastating.
The Corporation is Ultimately Responsible for the Actions of the Employee
As any good manager knows, the actions of employees are a reflection of how well that manager is, well, managing. So, as it turns out, the negligence and carelessness of employees is partially their fault, but also the fault of the corporations who’ve stuck their heads in the sand and refused to address the data breach problem until it’s too late. They’ve failed their employees by not providing training, by not addressing the use of consumer-grade file sharing tools and by not moving quickly enough or providing employees updated tools that could mitigate these security threats.
Companies are confident, cocky even, about their ability to stop external threats. As the report points out, companies protect the perimeter of their networks with identity and access management tools and two-factor authentication. But once that perimeter is breached, whether by an employee using an unapproved file sharing app or a phishing attack, it’s a hacker free-for-all.
“68% of respondents say they do not know where their confidential information is located and 61% of respondents say their organizations do not have visibility into what confidential documents and files are used and/or shared among employees.”
Who are the worst offenders? It’s actually the departments that have the most in-depth knowledge of trade secrets and sensitive and personal information: Sales and Human Resources. The report also mentions that the leaders, the C-level execs, are also pretty bad about following a file sharing policy.
How Corporations Can Take on the Threat of the Breach
Here’s the well-known secret to stopping data breaches: communicate openly. Talk to your employees about the dangers companies are facing today. Share with them that, through carelessness, are actually the greatest threat. Employees don’t want to be the reason a company named is dragged through the mud.
It’s made much easier if the communication about data, document and file sharing is centralized into one authority, typically the CIO. Documenting policies, in a place where employees can easily access them is essential. The CIO must also be in charge of training, yearly or even quarterly until employees understand it. Training should cover the methods that employees often fall victim too, including social engineering and phishing attacks, and how they can be more aware of these issues.
It’s also important to provide employees with a file sharing and management tool they can use that’s not clunky, buggy or outdated. There are many providers out there who provide such a tool, but you need to make sure to find an enterprise-worthy file management platform like SmartFile. Enterprise-level tools make security a priority, but also give employees a safer and better way to access and share files.
Employees are used to using their phones and tablets to share work documents and files, so instead of trying to prevent that behavior, tools like SmartFile enable it, but with a secure portal. Managing the employee threat will take time and training, but once it’s handled, it can go a long way towards preventing further breaches.
It’s the point we’ve been harping on in many of the posts that have been published here. Employees must be trained on the proper procedures for security and protecting company information and companies must provide IT with the “tools, expertise and governance” practices. It’s harder than it sounds, but it’s only going to get worse if we keep letting it happen. If anything, do it for the martyred canary.