They say employees are your biggest asset, but what should you do when they become your biggest risk?
Not all attacks on your data’s security are external.
Human error has been recognized as one of the most common reasons for data breaches. Irresponsible behavior and negligence of company employees give malicious agents a free ride into sensitive data and critical assets.
On top of this, business owners (more specifically, the HR department) must be more mindful of their employees’ data to comply with the latest GDPR solutions. Failing to ensure compliance will put them at risk of paying hefty fines and penalties.
In this Nira guide, we’ll explain employee data security, detailing how you can prevent employee negligence and protect your employee data per the new GDPR guidance.
What Is Employee Data Security Anyway?
Employee data security refers to ensuring the integrity, confidentiality, and availability of data by educating employees in the practice of protecting digital information from unauthorized access or theft throughout its lifecycle.
It’s a broad concept that encompasses information security aspects, ranging from administrative and access control to the physical security of hardware and storage devices. Even the logical security of software applications comes under its purview.
The idea is to enhance your visibility into where critical data resides within your organization and how it’s utilized, using advanced tools and technologies that can help you apply for top-level protection like encryption, redaction of sensitive files, data masking, and so on.
When you successfully implement robust data security strategies, you can protect your company’s information assets against criminal activities while simultaneously eliminating insider threats and human error.
How Employee Data Security Works
Before we talk about how to train your employees on data security, you need to be aware of how employees end up compromising enterprise data–either accidentally or purposefully.
Here are the four most common ways in which employees can threaten data security:
Employee theft refers to situations when disgruntled employees steal their company’s information with malicious intent. Although these threats are rarer than other organizational threats, they are also harder to detect and difficult to defend against.
Think about it: any data breach will hurt your company’s reputation, so you can imagine how bad it looks when it comes from the inside.
Poor Password Practices
Dating back to the invention of spoken language, passwords are the oldest authentication method in use. This doesn’t mean they’ve become obsolete, though. The problem here is the questionable way most people pick them.
Although it may seem like we’re joking, some employees still use passwords like 123456 or their birthday to make it easier for them to log into their systems. What they don’t realize is how easy they make it for a cybercriminal to get access to their company’s most sensitive and valuable data.
Phishing and Social Engineering
Employees often fall prey to phishers and social engineers and unintentionally/innocently let those bad actors exploit internal data, including passwords, to gain access to company records.
Phishers set up fake companies that employees are likely to interact with, such as an enterprise software vendor or an email provider. Thinking them to be legitimate, employees end up submitting their data via phone or email.
Social engineers also operate similarly, where they manipulate employees, leading them to divulge confidential information like passwords, bank information, or access to systems.
Phishers and social engineers are practically wolves in sheep’s clothing who are out for your data. Any failure on your employee’s part to recognize them immediately lets your company’s guard down.
Employees create security threats when they aren’t careful when hitting the “Download” button.
Cybercriminals can disguise a virus into seemingly harmless CTA buttons. It can be a helpful productivity app, a website extension, or a risky link from an unrecognized email. The virus spreads through your network as soon as your employees click on the link—even across the servers containing your most precious data.
It’s why you should encourage your employees to be careful when opening emails when working or surfing the internet and train them on what to watch out for.
These are the common ways employees put the company’s sensitive assets in danger, which ironically includes their personal information. Luckily, we have a solution that can significantly minimize data breach risk: data security training.
What is Data Security Training?
Data security training educates employees on data security best practices preventing data modification, loss, disclosure, and theft.
Employees can intentionally or unintentionally compromise data. But when they are trained in information security, they’ll know to handle information assets better and identify malicious attempts more effectively.
We want to also clarify that data security isn’t the same as cybersecurity.
While cybersecurity refers to the practice of protecting data and systems to ensure any data and information circulating in cyberspace isn’t stolen or compromised, data security isn’t exclusively about data stored in cyberspace.
Naturally, cybersecurity training and data security training are also different. While the former outlines breach attempts against systems and data in cyberspace, the latter covers both online and offline information and threats.
Let’s take a closer look at some of the most notable data breaches caused by employee negligence.
Example 1: RSA — Employees Click on Targeted Phishing Attacks
In March 2011, two hacker groups joined forces with a foreign government to launch phishing attacks on RSA employees.
RSA employees ended up clicking on targeted phishing attacks, which they naively believed were harmless links sent by trusted coworkers and contacts. They unknowingly helped the cybercriminals launch a successful advanced persistent attack, which compromised 40 million employee records.
After gaining access to systems, the cybercriminals compromised SecureID authentication tokens. This dealt a huge blow to RSA’s reputation, especially because it had long been held in high regard as a reliable security vendor.
Example 2: Sage — Unauthorized Employee Access
In 2016, Sage saw an insider-caused data breach that ended up compromising 280 of its business customers.
The attack was caused by a former employee who used unauthorized access to steal private customer information, which included sensitive data like salaries and bank account details.
When compared to our other two examples, the Sage breach is certainly smaller in scale. Yet, it perfectly illustrates how dangerous insiders who can get access—authorized or unauthorized—to highly sensitive customer data can be.
What’s more, this disaster could’ve been easily averted if access to critical data had been restricted using the principle of least privilege that states any user, program, or process should only have the bare minimum privileges required to carry out a function.
Example 3: Marriott — Leaked Data Because of a Compromised Third-Party App
In January 2020, malicious agents exploited a third-party app used by Marriott to provide guest services to get unauthorized access to 5.2 million Marriott guest records, including contact information, gender, loyalty account details, birthdays, and personal preferences.
Cybercriminals were able to compromise the credentials of two Marriott employees, through which they logged into one of the hotel chain’s third-party applications. What made matters worse is that the hotel’s cybersecurity systems failed to identify any suspicious activity in these employees’ profiles for over two months.
How Can Organizations Protect Employees’ Personal and HR Data?
The HR department of a company has access to tons of personally identifiable information (PII), such as employee names, Social Security numbers, dates of birth, and home addresses. It’s what makes them a goldmine for threat actors and cybercriminals.
Keeping this in mind, the responsibility of business owners and HR managers to protect all this sensitive data from a multitude of potential threats, such as employee negligence and cybersecurity breaches, becomes greater.
The General Data Protection Regulation (GDPR) has also issued strict rules concerning sensitive data safety, and it’s the HR department’s job to enforce compliance.
Here are some of the main tasks HR should address to comply with employee data security and GDPR protocols:
- Periodically update and review privacy policies for all staff.
- Restrict access to personal information, limiting it to only those people who need it.
- Consider whether the company needs an employee monitoring system (email monitoring, CCTV)
- Clearly document the reason behind processing personal information.
- Educate employees about their rights-the right to access, rectify, and erase their data.
- Follow timely document deletion. If you hold any redundant sensitive data, make sure to delete it immediately.
How to Improve Employee Data Security
Below, we’ve outlined a few steps to help improve information protection within your system.
Step 1: Know All the Sensitive Data You Hold
You can’t prevent data breaches and leaks if you don’t know what to protect in the first place.
You need comprehensive knowledge of all your sensitive data—where it’s stored and what data you have for every current and former employee. We highly recommend using data identification software to scan your entire system to identify any data that may have been lost, misplaced, or forgotten.
Carrying out a data discovery assessment is another tactic to know all the sensitive data you have.
Step 2: Apply Encryption at the Granular Level
Encryption can be incredibly useful to keep a check on breaches and malicious attacks on your data. It’s the only way to stop a cybercriminal from reading sensitive files, no matter how deep a cybercriminal may penetrate into your system.
It’s why you should consider applying (or managing) file-level encryption at the business process or repository level to protect critical files. Plus, managing encryption becomes more manageable when it’s applied to a process or workflow proven to handle sensitive data through data discovery assessments.
Step 3: Limit Your Data on a Need-to-Know Basis
Every piece of data should be classified on a need-to-know basis.
Your employees don’t need to know what data the HR department has on another employee. Even HR professionals should have restricted access to employee files unless they have a specific business reason to do so.
Let us explain this with an example. Suppose a manager needs an employee‘s phone number for a legitimate reason. Instead of sending them a copy of the employee’s entire contact form, the need-to-know protocol suggests sending over only the requested phone number and nothing else.
Step 4: Train Employees to Maintain Data Security Best Practices
We’ve said this before, and we’ll say it again: Employees must get the necessary training to understand the importance of data security. This includes password security, social engineering and phishing hacks, and file security practices. It’s the only way to enhance data security levels.
Once employees know how to maintain data security, they’ll be in a better position to not only protect their own sensitive data but also keep other company data and networks safe. Make sure even your HR team is involved in annual data breach response exercises, so they stay up to date with the latest security best practices.
Practicing good security becomes a habit, which will eventually enforce employee data security across all levels of your organization.
How to Protect Your Data with Real-Time Access Control
Nira is a real-time access control system that provides visibility and management over who has access to company documents in Google Workspace, with more integrations coming soon.
Contact us to request a demo: we’ll help you review your current setup, implement new access controls, or answer any additional questions you may have about keeping your data safe.