Recently SC Magazine revealed that a British school council employee had lost a USB stick that contained sensitive data of over a 1000 school students. The lost data included the names, ages, emergency contacts and some medical history of the students. As a result of the lost USB stick, the school council was fined £140,000 ($220,000 USD) by the Information Commissioner’s Office (ICO).
Another misfortunate accident came in the form a WVC school administrator accidentally disclosing the social security number of 3,800 former students by e-mail.
Unfortunately accidentally disclosing confidential data is not an uncommon occurrence among organizations. According to a recent study conducted by IDC, 52% of organizations characterized insider threats as predominantly accidental.
Apart from employees with malicious agendas, organizations also face what many coin “good employees doing bad things”. These ‘bad things’ can range from bending company security policies for convenience to being negligent with hardware that contains important data. This problem is exacerbated because organizations now face a work force that is increasingly mobile, working from a home environment with reduced IT security supervision.
As we illustrated in our previous blog post, Risks of Managing Confidential and Sensitive Data Within Your Organization, the loss of sensitive or confidential data can have a crippling effect on an organization, both in terms of reputation and monetary loss. Taking into consideration the fact that internal security risks are a complex challenge, below we have provided basic tips on how to reduce employee negligence within your organization:
Data Loss Prevention Training/Education:
Not everyone in your organization may be aware the consequences of losing sensitive and confidential data. Providing educational seminars and training programs to all employees on an annual basis may be a true eye opener for many employees, and ensure that they are more vigilant when handling organizational data.
It is imperative that organizations handling sensitive data understand the consequences of accidental data loss and carve out clear remediation policies and procedures. Understanding the likelihood of an accidental data loss occurring as well as the full consequences of such a loss, such as the hefty legal and financial penalties incurred by a compliance violation, will ensure that top management personnel are paying the issue the attention it deserves.
Manage expired accounts:
IDC recently revealed a startling statistic, as many as 60% of all accounts on the majority of organizational systems are expired. The large number of expired accounts means that insiders who no longer have a relationship with the firm continue to use the firm’s IT resources (e.g., network, email, applications, and data). Routinely reviewing and managing account information can ensure that unauthorized users will not be able to access organizational data.
Offsite Security Measures:
The most important security measure your organization can take is ensuring your data is protected with the right security solutions, especially when it comes to equipment that can be taken outside of the organization. Appliance-based safety solutions, such as EdgeWave’s iPrism Hybrid Remote Web Filter, can ensure accurate off-site policy enforcement, so that mobile devices as secure as those that are in-house.
As evidenced by the WVC’s admin error, many instances of accidental data loss are incurred during e-mail processes. E-mail security solutions, such as ePrism Data Loss Protection and Encryption Service, can ensure that private and confidential information is stopped from leaving your organization and you are alerted to its presence. Solutions such as ePrism can be configured to automatically encrypt messages when information such as credit card and social security numbers, healthcare or other proprietary information is detected.
Early Detection Measures:
The fear of harsh consequences can often delay an employee from escalating the loss of a device that contains important data. One of the main tools for regulating employee behavior is creating a company Acceptable Use Policy (AUP) – so infractions whether intentional or not, would be addressed by consequences included in that document. This will ensure the process of escalating the loss of data to the appropriate personnel is done in a time-efficient manner, as the consequences are crystal clear.
For a more comprehensive look at how your organization can benefit from increased data security, be sure to contact one of our EdgeWave team members, who will be more than happy to delve into data security in more depth.
As always, we welcome your questions and remarks in the comment section below.