6 Ways Employees Are Putting Your Company's Data at Risk

IT walks a fine line between balancing security issues and giving people the tools they need to get the job done. Every day companies move sensitive data around and IT is in charge of securing that data, but what about the little things that tend to fall through the cracks?

According to data from several recent surveys there are a number of things your employees could be inadvertently doing that puts your company's sensitive data and information at risk.

A survey done recently by IPSwitch, an FTP software organization, includes some of the reasons employees are putting sensitive data into places where IT has no control over what happens to it:

To circumvent file-size limits prescribed for work email

Third-party mail is faster and has fewer restrictions than corporate email tools

For use in their next place of employment

They find it difficult to connect to work email when outside of the office

IT doesn't monitor what they're sending via personal email

Sanjib Sahoo, CTO at tradeMONSTER says he thinks about security and customer privacy a lot. Working in the online brokerage portion of the financial industry, data is his company's life's-blood and as CTO he puts extra emphasis on the security of his data.

Related Story: 5 Things PRISM Teaches CIOs About Doing Business in Today's World

"We have to put measures in place to protect against the loss, misuse and alteration of the information of customer data and any other data which we control. At the same time, we put a lot of importance on our intellectual property, considering that we have numerous patents , granted and pending, for our technology and platform," says Sahoo.

This means new employees who might not be fully aware of risks and data policies need training in regards to the balanced culture of concern, awareness and trust. "We implement a strict security policy and access control policy when employees join [the company]," says Sahoo.

A recent survey done by Harris Interactive on behalf of Fiberlink highlights many of the challenges that today's IT departments are facing. In the survey, 2,064 U.S. adults were asked about their mobile behavior. Many of the behaviors below are done in a benign way in an effort to get the job done but they still could potentially expose sensitive corporate data.

Using Cloud Storage Services: More than 50 percent of people who responded to the Fiberlink survey reported uploading sensitive data to cloud services like Dropbox and iCloud. "Consumer file-sharing and synchronization services such as Dropbox are appealing to business users because they are accessible and convenient. However, it's those same attributes that make them a security concern for CIOs and IT professionals," says David Lingenfelter, the information security officer at Fiberlink.

Opening documents in third-party apps: Millennials are twice as likely to use their own phones and tablets for work and while working on the go is great, opening sensitive data in mobile apps such as QuickOffice, Dropbox or Evernote isn't great for your corporate data security.

"We define our VPN policies such that employees can connect remotely but get access to sensitive data/reports only through tradeMONSTER authorized devices. However, for emails etc., we make sure sensitive documents are kept in a shared location that is access controlled," says Sahoo.

"Opening documents in third-party applications presents some unique challenges related to putting corporate data at risk. The first risk is sharing data with third parties, including applications like Facebook, Twitter, Evernote and Dropbox. While employees may naturally use caution when forwarding emails, the 'Open In' functionality is much less obvious and they may be leaking data using 'Open In' unintentionally. A second dimension exists on the Android platform, where there is an increasing possibility that malware will play a role. Applications that impersonate trusted applications could be the recipient of confidential data when users open documents using the impostor," says Fiberlink's Lingenfelter.

Sending company data over personal email addresses: Eighty-four percent of respondents reported sending sensitive data via their personal email addresses. "Many times programmers view several security policies such as not being able to use personal email addresses, USB drives, etc. as a hindrance to their productivity. Transitioning them to a risk-aware culture, keeping morale high while keeping them motivated and creative is one of the toughest challenges a CIO can face," says Sahoo.

Using File Transfer apps: You've got to send a coworker a file that's 40 megabytes but you keep getting an error on your mail program saying the file is too large. That's a typical scenario that could find employees circumventing policy to get the job done.

Related Story: IT Resume Makeover: How to Tell Your Career Story

USB thumb drives, smartphones and tablets: In a recent survey by Symantec, 62 percent of respondents said that it was acceptable to transfer work documents to personal computers, tablets or smartphones. The majority of these files, according to Symantec, are never deleted because employees don't understand the risks involved with keeping them.

Research from Fiberlink sheds some additional (and troubling) light. Fifty-one percent 51 percent of employed U.S. adults surveyed who have personal smartphones/tablets use these mobile devices for work-related purposes and a third of those who responded said that they have lost a USB drive with confidential information on it.

Data and IP Theft: Symantec's survey revealed that half of employees who either left their position or lost their job in the last 12 months kept confidential company data to use with their next employer or business. In a recent article Robert Hamilton, director of product marketing at Symantec said, "Trusted employees are moving, sharing and exposing sensitive data in order to do their daily jobs. In other instances, they are deliberately taking confidential information to use with their next employer."

Tackle the Digital Security Challenge

In these situations there is no way for the company to ensure that data is removed and/or deleted and that represents more than a few challenges for IT security and policy makers. One solution says Lingenfelter is to prevent data loss through third-party apps. "It makes sense to restrict use of these apps on mobile devices in certain circumstances, depending on your industry or corporate security policies."

The answer says Sahoo: "Make employees understand the goals and risks to the company, which in turn will encourage them to act accordingly. "Entrust" not "Enforce" works like a charm. Ignorance is avoided with training, and intentional violations are avoided by creating a culture of trust and respect within the organization."

That said, security like many aspects of the tech market is a moving target. You've got to understand the inherent risks and put policies in place to minimize risk. "With technology changing so much, it is very difficult to constantly scope all aspects of securities for employees, hence it is an evolving process," says Sahoo.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about DropboxEntrustEvernoteFacebookHarris InteractiveInteractiveIpswitchSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rich Hein

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place