According to an Association for Corporate Counsel survey, “employee error” turns out to be the most common reason for a data breach. An example of the kind of employee error mentioned in the survey, and also discussed above in relation to spear phishing, -- “accidently sending an email with sensitive information to someone outside the company.”
This really is something just about all of us have heard about or experienced directly. It can occur as the result of a phishing scam. This type of fraud happens when a cybercriminal disguises an email to make it appear as if it is from the organization’s executive -- often from HR or accounting asking for sensitive information such as a social security number or even a W-2 form.Other leading causes behind a data breach include disgruntled employees, relaxed BYOD (bring your own device) policies, and actual physical loss of a device.
Let’s face it, no matter how diligent an HR team is, you just can’t predict how employees behave. Employees can certainly be careless about sharing passwords, and in some cases, can even be persuaded to sell sensitive company passwords. And, losing a device is as easy as leaving a laptop in an Uber or leaving a cell phone in a restaurant.
No matter how it happens, it’s a daunting challenge to keep your employees protected, when threats come from all directions
Mobile devices and unstructured BYOD policies also lead to security risks and exposure. Not only does the average large enterprise have more than 2,000 unsafe mobile apps installed on mobile devices, employees can often access and then store customer data and confidential client information on their mobile phones.
When email, or other sensitive data, is retrieved over cellular networks and opened on a mobile device, your organization loses visibility into data access.
Having HR partner with your organization’s IT team to ensure everyone at every level is being vigilant will help to address security vulnerabilities.
If a company can go a step above and hold regular monthly or quarterly company meetings on how to be safe in the new digital workplace, and even engage employees in testing scenarios like a fake phishing scam, it makes a difference. These proactive steps can go a long way to inform employees and keep personal and corporate data safe.
At minimum, HR teams and executives should have a proactive plan in place which includes:
Refresh your employee policies: Clearly state usage best practices around email, internet, social media, and mobile devices/BYOD.
Train your employees on security measures: Don’t assume new, or even seasoned employees, know security best practices -- technology and scams change fast. Train all employees and managers on how to protect confidential information and why it matters.
Establish a telecommuting policy: With companies increasingly adopting telecommuting policies, it’s critical to convey to employees that when they work outside of the office, sensitive company information is no longer in the control of the four walls of the office. Outline acceptable use of both company-issued and removable media devices, and confidentiality requirements around company documents and information.
Know how to identify risky employee behavior: If an employee’s behavior is in question, investigate it. It could signal a threat to the security of sensitive corporate information.
In today’s digitized world, the chances of identity theft affecting your business are high. Employee education and training decrease the odds, as does having in place effective HR policies that are regularly reviewed and updated.
Maximize exit interviews: Ensuring you have a proper exit interview procedure in place is critical in terms of making it part of a strategic HR effort to protect confidential information. Ask the employee for all work-related passwords for any computers, devices, accounts, and files he or she has had access to; work with your IT team as necessary to change the passwords. Conduct a return of property review; have the employee disclose all company information or devices in his or her control. Collect all keys, access cards, badges, company credit cards, and other property.