When data is moved out of a trusted network, it may be the default response, which assumes that malicious intent is involved. We see news headlines about employees stealing data, so we are adjusting ourselves to conclude that data leakage is usually malicious. In some cases, this may be an act of deliberate theft, but when it comes to our trusted employees leaking data from the Internet, we should take a moment to learn more in depth, especially because of the data breach. It often happens due to employee error or negligence.
The vast majority of your employees are well-meaning, hardworking people, and they never intended to cause network security issues. In fact, by 2020, 17% of all data breaches are caused by human error, twice the number in 2019.
Maybe new employees add their personal iCloud drives to their work devices to make their personal information more accessible, but don’t realize that there is a default setting that will eventually automatically upload company data to their iCloud account. Or team members working remotely during the pandemic may access files from their personal laptops when the work computer is not loaded. Either way, employees do not intend to cause problems. In order for the security team to conclude that the employee’s injury does not prevent future data loss.
In fact, assuming that employees want to steal your intellectual property or trade secrets will make your security team and employees conflict with each other, and may cause unnecessary security-related pressure. We need a better approach. First, assume that your employees are just trying to complete their work and their actions come from positive goals.
The establishment of a positive intentional safety culture begins on the first day of the employee’s work. Incorporate security into your onboarding process, even if you only discuss it for five minutes. Use this time to set the tone that your security team will not send personnel, and you need the help of employees to protect company assets. You should also lay the foundation for how employees can best work with the security team: if they need help, have questions, or need to report any issues or concerns, where should they go?
It is also important to provide regular and effective cybersecurity training, which positions your employees as security heroes rather than opponents. Not only should you focus on malicious data theft, you should also provide your team with information on common methods of accidental data leakage to raise awareness and prevent this from happening in the future.
As with any training, you have to make sure that it will last. How did you do? Make the training itself attractive. Change the format and make it interactive where possible. Treating phishing activities as a security challenge, they can work hard to improve their scores for non-click and report test emails, and be transparent about why they provide phishing training. We usually give new employees some tips. We will conduct phishing tests. This is not a trick, but to help them learn to identify and report suspicious emails. We can’t expect them to perform well in things where they don’t have the opportunity to practice.
Transparency goes a long way in both directions. In Code42, we also require employees to remind us when they have business or personal reasons to move or share files. For example, employees who are leaving their jobs recently notified our security team that they are planning to transfer some personal photos that have been saved on their work drives to their personal drives. This proactive behavior is helpful because it can shorten the investigation time and allow our security team to propose more secure transmission methods, such as encrypted drives.
You may still encounter an opportunity for an employee to maliciously steal data. It is better to assume that everyone behind the data breach has positive intentions, as this happens often. When contacting employees to resolve safety lapses or errors, the language and wording you use can greatly help you prove that you are there to help, and make employees feel comfortable and willing to work with your team.
For example, if you find a suspicious file transfer, you can send a note to the employee by following the line “We noticed the file transfer to a personal email account. Can you confirm if you know?” —Rather than “The notification we received is that you have transferred the file to your personal email account, so we are locking your computer.” Or, if someone has not completed the required safety training, you can say: “Our records show that your safety training has expired, can you confirm it?” Usually, this leads to a response from the employee asking where to find the training, which indicates This is an education/communication issue, not negligence.
Safety issues can put a lot of pressure on employees and the safety team. We need to rewrite and strengthen the safety instructions to emphasize that most employees have good meanings. Doing so will show your employees that your team sees them as a trusted security partner, and make the company more effective and proactive in its security methods.
Chrysa has been working in company security for 13 years. She has built safety awareness programs from the ground up in various industries including retail, technology, and healthcare. Chrysa is currently the Security Awareness Manager of Code42. She is passionate about admiring her life. …View full bio