When we hear about data breaches in the news, we often imagine some nefarious figure, sitting in a darkened room, hands on keyboard, using multiple mechanisms, applications, or tools to attempt to hack into a company’s network.While it’s certainly true that data breaches are, at times, the result of phishing or supply chain attacks, we can still trace nearly 90% of data breaches to human error. Further, C-Suite executives assert that 31% of data breaches are the result of an insider or employee.
Clearly, data and document privacy, confidentiality and security is a major issue for businesses. In response, we spend a lot of time discussing the impacts of breaches, in terms of money ($3.86 million average in 2020) and reputation loss. It’s equally important to focus on the internal problems and prevention strategies we have at our disposal.
- Why is Document Confidentiality Important in the Workplace?
- What Type of Information Must Or Should Be Protected?
- 7 Ways Employers Can Protect Confidentiality in the Workplace
- Solutions to Help Secure Your Data
Why is Document Confidentiality Important in the Workplace?
Workplace confidentiality has several meanings, all of which are related to how we keep business information and data that belongs to our company, our customers/clients, or our vendors, restricted only to the people who need access. Depending on the industry, government laws may also regulate data and document confidentiality and adherence to those regulations is compulsory. Failure to do so could result in legal action.
While avoiding fraud and legal disputes is paramount, so is maintaining the integrity of your business and the trust established both within and by your organization. Failure to protect sensitive data and information can have major financial and reputational impacts that are long lasting. As a result, organizations may have difficulties recruiting and retaining top talent as well as earning and retaining customers.
Threat of Employee Data Leaks
Typically, discussions of data leaks center around external threats. While those certainly exist, our attention on those threats means we often overlook the threats that exist within an organization or business. In fact, employees and contractors are often the number one cause of data breaches with 68% of organizations reportedly feeling threatened by insider attacks. Further, 72% of employees admit to taking company data or documents upon leaving and 70% of intellectual property theft happens within 90 days of an employee’s departure.
Inadvertent data leakage may be the result of a phishing scam, where a user or employee falls for an information or data request from what appears to be a known individual (with access rights) or a spoofed email. For example, in 2016 an FDIC employee downloaded data to a personal storage device resulting in a breach impacting 44,000 customers. There was no bad intent, the employee simply forgot to remove sensitive data from the drive.
Employees may also be inadvertently leaking data simply by looking at documents in non-secure environments or in the presence of other individuals who should not have access to that data. Visual hacking is a very real problem. In 49% of cases, it took less than 15 minutes for someone to steal data or information from a screen within view. In 63% of those cases, hackers were able to complete their “job” in under a half hour. In short, it doesn’t take long before someone viewing your screen can gather valuable information and use it to access a network or utilize it for a larger data breach.
Negligent events occur when employees fail to adhere to security standards or protocols set forth by either industry regulations or internal data security governance policies. For example, in 2017, hackers were able to breach Equifax’s system through a network vulnerability. They were then able to further exploit this vulnerability because security encryption certifications were not updated (which should be part of a comprehensive data security governance policy). While the structural issues are of concern, had Equifax been more vigilant in monitoring and adhering to security standards, the breach may have been more contained.
Finally, employees with malicious intent are typically disgruntled employees who steal data or information with the intent of using or selling it. There are a variety of examples out there of situations like this from Waymo and Uber espionage cases to engineering firms who lost valuable data and designs to an employee starting his own firm. In an industry report, 66% of respondents said defending against an internal data breach is harder to defend against than an internal attack so be sure to take precautions to minimize lost data through employee actions.
What Type Of Information Must Or Should Be Protected?
The short and simple answer to this question is that any document or data that, if leaked, could be seriously detrimental to the well-being of a customer/client, vendor, employee, or your business and its future should be protected. However, a more comprehensive list includes:
- Information required by industry regulation or regulatory laws to be secure and confidential (like HIPPA, FERPA, etc.).
- Documents with employee, client/customer/vendor personal information including, but not limited to: job application data (background checks), pay scale, termination records, bank account numbers, user names, credit card numbers, social security numbers, PINs, and passwords.
- Norton identifies other sensitive information as addresses, residential and employment histories, important dates, mother’s maiden names, and any information that could be used to compromise someone’s identity or invite access to your network.
- Office plans and employee IDs
- Internal or proprietary procedures or operations manuals
- Market research and marketing plans/initiatives
- Business strategy and development documents including upcoming mergers and acquisitions or other company re-organizations
- Research and development data, pending patents and any other intellectual property (trade secrets)
- Any financial records or investments including revenue sources and profits and losses
- Contracts (internal/external)
7 Ways Employers Can Protect Confidentiality in the Workplace
Any business, for the sake of legal compliance as well as its financial future and reputation, should be putting data and document security at the top of its security concerns. While a comprehensive data security governance framework should include all the items noted below, there are specific measures you can take to mitigate the risk of both internal and external data leaks.
Train Your Team
This oft neglected element of data security governance is among the most important, especially considering the role human error and negligence plays in data leaks. While 88% of C-Suite report regular training, only 52% of small-business owners can say the same. Other research suggests only 45% of companies have mandatory cybersecurity training.
While initial training often occurs during onboarding of new employees, keeping your team updated and informed about the latest advancements, threats, risks, and implemented security protocols can make the difference in your data security. In fact, even more research reveals that only 6% of organizations offer monthly training with 4% offering it quarterly. Simply put, that’s just not enough to keep your employees and leadership aware of security concerns and preventative practices.
In the same way that relevant and timely training for your employees is vital, having a data security governance team and plan is essential. This team should be keeping a close eye on cybersecurity and relevant threats to your organization, your industry, as well as general concerns related to cybersecurity. It’s not just about keeping your team apprised of threats, but looking for cutting edge security solutions to protect your data and your organization.
Include Non-Disclosure Agreements in Employment Contracts
In any industry that handles a lot of personal data or proprietary information or intellectual property, it should be a standard practice to have any employee with access to that information sign an NDA upon hiring. Further, you may wish to be explicit in your detailing of what information or what category of information falls under the agreement. Similarly, the agreement should be very clear about the expectations regarding relinquishing any data or documents related to the business upon their departure. Not only does this provide legal protections for your business, but it also helps establish, from the onset, the value and importance of data security within your organization.
Include a Comprehensive Confidentiality Policy in the Employee Handbook
Including a confidentiality policy in your employee handbook provides an extra layer of protection and one your employees can review, as needed, when handling information. This policy should detail that any hard copies of sensitive and confidential information should be shredded for proper disposal. Further, it should also ensure that when creating digital files and documents, individuals should be using access controls to ensure only authorized individuals have access.
Managing Document and Data Access
One of the best ways to protect sensitive data and confidential documents is by restricting access to the document and where it is stored to only those individuals who need access. Security teams and administrators should be monitoring any access to these secure and segmented network areas where these confidential documents are stored.
Physical security is paramount as well. Any hard copies of documents should be stored in locked file cabinets or other secure locations.
Scrutinizing all the tools at your disposal and selecting robust security technologies to protect your documents should be a top priority from C-Suite executives to employees throughout the organization.
Establish a Data Security Governance Team
All of these measures require identifying what data and documents require security and the appropriate level of security; developing and implementing a plan; determining what tools will best facilitate that plan; training employees on an on-going basis; and monitoring progress and compliance. Your data security governance plan is the document by which all employees can and should handle any confidential information or sensitive data and should reflect the specific needs of your industry and business.
Establishing a team made up of IT professionals, executives, and representatives from key departments is important. A varied and diverse team representative of all segments of your organization means you get input regarding what secure data they work with as well as assistance in disseminating information, monitoring, and enforcing policies.
Conduct Regular Security Audits
As noted above in the Equifax breach, one of the primary issues was a failure to update encryption certifications. If your data security governance team is performing regular security audits in conjunction with vulnerability assessments and penetration testing, you can proactively catch any lapses or vulnerabilities due to oversight. Similarly, regular monitoring and auditing helps establish the value of security and confidentiality within your organization. Having alignment across your team on the importance of this issue creates a culture that supports your security initiatives, goals, and needs.
Solutions to Help Secure Your Data
One of the primary goals of your data security governance team will be identifying available solutions on the market that help solve security challenges and provide preventative and proactive tools to keep your data safe. In searching for solutions, you want to choose one that harnesses cutting edge technology to help you stay one step ahead of hackers and employees with malicious intent or negligence.
Advanced security technology platforms that provide innovative and forward-thinking solutions for document privacy and security are a great tool for any organization. One of the most comprehensive and innovative advanced security technologies is Smart Eye Technology, an all-in-one platform that leverages continuous and multi-factor biometric authentication to restrict document access, enable secure file sharing, give you real-time transparency into and control over shared files, and execute identity-verified e-signatures.
If you’re looking for cutting-edge robust security solutions that ensure the confidentiality of your documents when viewing, sharing, signing and storing then get in touch with the Smart Eye Technology team today or simply request a demo!