Nasty Employee Collaboration Blunders (and Steps to Protect Against Data Loss!)
Have you ever….
…accidentally sent an email to the wrong person?
…taken a file with you when you left a company?
…printed a document and then left it on the printer?
…copied a file to a USB stick, which you left someplace, like an airport?
My guess would be that the majority of you reading this can answer yes to all of these. The reality is that we live in a world where content leaves the hands of a company rightly or wrongly. The challenge is that employee collaboration blunders are a problem especially when sensitive information is put at risk.
We trust our employees, but as our workforce adopts new devices and collaboration methods in order to do their jobs, we can no longer rely upon education of policies and regulations. According to the ID Theft Center, as of July 12, 2016 there have been 522 reported breaches exposing a whopping 12,983,562 records. Of the breaches, I estimate that approximately one in seven is a result of employee collaboration blunders. Here are a few examples:
- TD Bank reported learned on March 24, 2016 that a document containing personal information was inadvertently sent to an incorrect email address and was received by an unauthorized party not associated with TD Bank. The personal information they may have received included name, address, Social Security number, and date of birth.
- On June 30th, California Department of Corrections and CA issued a letter because of a security incident that occurred on May 2, 2016 at the California Health Care Facility in which an employee inadvertently e-mailed a document containing personal information to the wrong person.
- The Washington State Liquor and Cannabis Board in June had to notify marijuana license applicants whose personal information was accidentally distributed by the agency in response to a public records request. The data may include social security numbers, driver’s license numbers, financial information, tax information and attorney-client privileged information. The LCB had redacted the documents for the records request, but a folder containing the personal information was accidentally included.
- Even Google is susceptible! In May, Google notified employees that a third-party vendor that provides Google with benefits management services mistakenly sent a document containing certain personal information of some of its Googlers to a benefits manager at another company.
- The FDIC had a breach incident in October 2015 where a former employee walked out with thousands of sensitive records stored on a thumb drive, including at least 10,000 Social Security numbers. The FDIC didn’t recover the data until December and failed to report the breach to Congress for almost four months, all while the CIO and inspector general battled over whether the leakage constituted a “major” incident.
- An employee at Hamilton General Hospital in Texas snooped into the medical records of 397 patients in May this year.
- In the UK in May the UK National Health Services accidentally emailed names of 700 HIV sufferers.
- Political leaders are also at risk. Last year, personal details of world leaders was accidently emailed by G20 Organizers.
As our CSO Leo Taddeo says, it isn’t a matter of ‘if you are breached’, instead it is ‘when you’ll be breached.’ Whether it was malicious or a simple employee mistake, unfortunately, customers and regulators won’t see it that way. If sensitive details were compromised, outrage and financial fines are likely to follow. So what can be done?
Protect Against Data Loss
Put technology in place to warn users they are about to violate a policy before they hit send, publish or print. If you’re collaborating highly confidential information you should also consider automatic controls to prevent the distribution of sensitive information to unauthorized parties through email. It’s best to restrict emailing the most sensitive files from an unsecured location such as a coffee shop or on an unsecured device like a personal smartphone.
Many inadvertent leaks happen through equipment theft or mobile collaboration, but sometimes, employees need to take corporate data with them when they travel. Automatic encryption and expiry on an unsecured device can prevent data loss through theft or copying, while allowing employees to work from any device and location, even if they copy a sensitive file onto a tablet to use during an airplane ride. Additional deny rules that prevent users from performing actions such as print, save as or copy and paste will also help keep confidential information secure.
If you are collaborating with sensitive information – whether corporate information, personally identifiable information (PII) or protected health information (PHI) – you need security measures like these in place to protect your organization.
Checkout our infographic looks at the aftermath of a breach, from costs to the areas of vulnerability and common attack vectors. But don’t despair, we also offer 7 ways to protect against breaches and reduce risk.
For a printable version of the infographic, download the eBook I’ve Been Breached! Now What?
(Click Infographic for a larger version!)