Data leakage – is it simple theft?
When data is sent outside a trusted network, it’s not uncommon for us to assume that malicious intent is involved. In some cases, we’re right. But when it comes to a network data leak involving employees we trust and hired ourselves (assuming the correct hiring process) – we should take the time to dig in to learn more. Data leaks are very common – but due to employee error or negligence.
Imagine the following situation:
- A new employee adds their personal iCloud drive to their work device for easy access to their personal data, not realizing that there is a default setting that ends up automatically uploading company data to their iCloud account.
- A team member working remotely during a pandemic can access a file on his personal laptop when his company computer is not charging.
- Due to blocked USB ports and the need to quickly print a presentation for a client – an employee sends it to his private email to print on an external printer.
- Employee carelessly moves data to private OneDrive instead of corporate instance and forgets to delete it.
The assumption that employees want to steal your intellectual property or trade secrets pits security teams and employees against each other and can contribute to unnecessary stress. That’s why implementing a security culture based on positive intentions starts on an employee’s first day on the job. Incorporate security into the implementation process, even if you only talk about it for five minutes. Use this time to set the tone that your security team is not in place and you need employees’ help to protect company assets. Also, lay the groundwork for how employees can best interact with the security team: where do they go if they need help, have questions, or need to raise any issues or concerns?
Proper cyber security training is also essential. And we’re not talking about dry health and safety style training. As specialists, we work with Proofpoint -Security & Awareness training. There’s a reason it’s a 6-time Gartner leader in the User Awareness market.
The solution focuses on two main steps:
- Risk identification: Identifies who is under attack and assesses their ability to defend themselves. The solution identifies risk using Very Attacked Person (VAP) reports, threat simulations and knowledge assessments. VAP reports provide valuable data, such as who clicks on known malicious content and is most often targeted by attackers. Simulations can use templates from Proofpoint’s threat analysis to provide realistic measurements of user risk, and knowledge assessments can be fully customized. Situational cyber security knowledge tests are also introduced at this stage.
- Behavior Change: Proofpoint delivers targeted, threat-based education to the right users. The educational content is fully customizable and created according to “learning to learn” principles. This ensures that users are engaged during training to better retain these key skills. The content we implement includes:
– Interactive training modules.
– Video training modules.
– Game-based training modules.
– Safety awareness materials including posters, infographics, newsletters and more.
– Curriculum materials for administrators.
We cannot expect employees to be great at something they will never understand or practice.
Naturally, there is still a risk that an employee could maliciously steal data. It’s still best to approach any data leak with the assumption that the person behind it had positive intentions, because they often do. When you contact an employee about a security breach or error, the language and wording you use can go a long way to showing that you are able to help and make the employee feel comfortable and want to work with your team.
To reduce the stress associated with the sensitive nature of IT security – the information we need to protect – we need to change and reinforce the security narrative. We need to show employees that we believe in their good intentions. By doing so, the IT security team will show colleagues that it sees them as trusted security partners. It will stop acting as the “IT police” and the company as a whole will be more efficient and proactive in their approach to security.