When most people think about a data breach, they think about a trenchcoat-wearing external agent hacking into a database of personal information, pushing up their sunglasses, and muttering “I’m in”. The reality is a lot less exciting but a lot more preventable. According to research by Clearswift, 42% of data breaches in 2016 were caused, purposefully or inadvertently, by employees. There are several precautions you can take to ensure that your customers’ sensitive information is as safe as possible.
Educate Your Organization
Many internal breaches are caused by employees mistakenly sending money or sensitive information to an impostor posing as the organization’s CEO or similar high-profile figure. In 2016, a Snapchat employee emailed the payroll information of hundreds of current and former members of Snapchat to an impostor posing as the CEO of the organization.
There are many articles that discuss how to detect whaling and phishing emails, so this article won’t go into particularly heavy detail on the subject. However, one of the most important principles of defending yourself against scam emails is to not panic. Much like robocalls designed to convince the recipient that they are going to be arrested or popup ads saying a virus has been detected on your phone, numerous whaling messages use urgent, strong language to convince the recipient to make a poor choice out of adrenaline. Nothing is urgent enough that you don’t have time to ask your coworkers if an email is legitimate.
Sometimes data is leaked because an employee doesn’t know the right protocol for handling it. For example, the information of about 3500 employees of the city of Calgary was leaked when an employee sent worker’s compensation claim reports to the personal email of a member of a different Canadian municipality. In this case, having a concrete policy that can be referred to makes it much easier for an employee to know what they can or can’t do with the information they have.
Know Your PII
Internal data breaches frequently involve disgruntled employees leaking PII or a device with sensitive data on it being lost. While some of these things are realistically unavoidable, others are because the company didn’t practice strict enough information governance. Without knowledge of where sensitive data is located enterprise-wide, the chances are raised for that data to end up someplace where it shouldn’t be.
Accidental loss of PII can be better avoided if the PII in question is identified and placed in locations on the company’s computer infrastructure that can’t be lost as easily: A server room versus a laptop or USB drive, for instance. Important files, when properly tagged, can also be access-restricted, both to limit the number of users who have the ability to do damaging things with the information and to maintain confidence should equipment be lost or go missing.
No matter how many locks you put on your door, you still wouldn’t leave stacks of money lying around in your living room. Proper defense against breaches means paying just as much attention to internal issues as external ones. Good education and proper information governance will go a long way to keeping your company’s name out of the scary headlines.