Data privacy is taking center stage in countries worldwide. Organizations are strengthening privacy controls in the face of endless data breaches, tighter regulations, stiff penalties and customer pushback. We’re undergoing a major transition from the way the digital world has developed over the last 20 years; change is difficult, and old habits are hard to break. Compound that with the pace at which everyone moves these days, and it’s no wonder that privacy “accidents” happen, even in organizations with the best of intentions.
Here are a few of the leading missteps:
The infamous ‘reply-all’ and other email sins. Email has long been and remains the greatest source of accidental information sharing. Reply-all sometimes adds people to a thread that later takes a more sensitive direction and includes information not appropriate for the full distribution. It’s also common for users at all levels to forward a confidential thread, accidentally copy a redundant recipient or forget to remove them, or even forward messages to personal contacts. These actions extend to the ecosystem through which the data moves, widening privacy exposure risks. While cloud providers such as Google have introduced email message recall options, using them takes awareness of the error along with quick action, neither of which are always possible.
To help minimize these slip-ups, organizations need to work to prevent them in the first place. Keep up the drum beat of employee awareness-raising and training. Have a good revoke utility available to catch what messages can be caught and use tools that can double-check for any new recipients you may be emailing. Or, set up a system to insert an extra prompt reminding users to think twice before hitting ‘send.’
Cloud-enabled automatic sync and share. As employees bring personal devices into the work environment, organizational data can get mixed in with personal data. Forgetting that automated sync and share is enabled on a personal device is a sure-fire way for corporate—and potentially sensitive—data to end up outside the firewall in insecure environments, like a public cloud service (think Dropbox or Box) or even a home computer. Conversely, employees could be syncing their personal data into the corporate network—certainly not something most employees would want.
Fixing this is tough challenge. Of course, employee awareness is critical, but taking a frequent action with a personal asset (turning auto sync on/off) is a lot to remember and a lot for an employer to expect. Companies need to rethink BYOD policies to see what makes the most sense for their employee situation. One of the best ways to manage BYOD is to make sure that personal, employee information and corporate information is partitioned. BYOD policies should not enable employer access to personal data, and it’s important to make that clear in any documentation about employees’ right to privacy.
Inadequate Offboarding Practices. Terminated employees may have had access to many systems, applications and data sources during their employment tenure. The task of shutting off all of the access points an employee may have had can be an onerous process for the IT team, taking weeks or even months in some cases. That could be worse with shadow IT environments, entered into by lines of business that corporate IT isn’t even aware of. That access responsibility could be left up to department-level administrators who don’t know who had permission, forget or are simply overwhelmed with other tasks.
Addressing this issue should start with documenting initial permissions when a new hire is onboarded and building as the employee is given access to more systems and data over time. That’s a big administrative burden—and who is responsible for keeping up the paper trail as employees change roles and responsibilities within the enterprise? At a minimum, employers should keep a checklist of all of the types of systems that an employee might be able to access and track those accordingly—even asking the employee about systems they used during exit interviews. Turn off all known access immediately upon termination. Be sure to close old accounts and check former employees’ hard drives and emails for sensitive data that may remain. Hackers look for these types of accounts as great sources of sellable personal information.
There are certainly more ways that private data gets accidentally shared. That’s a good reason to regularly review points of vulnerability and root causes behind other breaches that may have occurred, when setting or revising corporate security policy.
Unfortunately, solutions that are difficult for end users to implement will inevitably result in them finding workarounds. So consider team input when planning new security mechanisms or practices, test usability options, keep up training and awareness campaigns and leverage new encryption-enabled technologies that can help track and secure your data wherever it may go. While accidents will always happen, adopting disciplined policies and practices will minimize the impact, and potentially your liability, when they do.