How to avoid major compliance problems
FYI, this story is more than a year old
Article by Guy Bunker, SVP of Products, Clearswift
While threats from hackers and even terrorist organisations often grab the headlines, internal security breaches are in fact more common, whether from a malicious insider or through a simple mistake.
With GDPR now in full effect, it is vital that businesses of all sizes protect the sensitive information they hold and have the correct policies and technologies in place to ensure they do not become non-compliant with the newly enforced regulation. While this means that protecting critical information from hacking is now more important than ever, it also means that some of the day-to-day actions made by mistake by employees do not result in non-compliance. Under the new regulations, something as simple as mistakenly forwarding on an email to an unauthorised individual could result in the whole organisation being fined 4% of its annual turnover.
To determine just how bad this issue was, Clearswift surveyed 600 senior business decision makers and 1,200 employees across the UK, US, Germany and Australia about the sharing of sensitive information. Despite the fact that almost half of respondents thought that their company had appropriate processes in place to be compliant, the research found that 45% of employees had mistakenly shared emails containing key data with unintended recipients. These included sharing personal information (15%), bank details (9%), attachments (13%) and other confidential content (8%) with someone who is not the intended receiver of the details.
The problem is not limited to unintentionally sharing sensitive data. The survey also revealed that 27% of employees claimed to have received emails containing personal information in error from outside of their company. In addition to this, 26% actually admitted to receiving attachments in error and a further 12% said they had wrongly received personal bank details.
How prevalent is this? How many times have you received and email, followed by a ‘please ignore / delete’ that last email I sent you (or the tell-tale sign of someone trying to retract a sent email)? Or how many times have you started an email address, it auto-completes, you hit send and 0.2 seconds later you realise it was the wrong person? OK, so perhaps it’s only once or twice a year, but multiply that by the number of employees and it can easily become a potentially daily occurrence.
With a large majority of the workforce both unintentionally sending and receiving emails in error, there’s an increased potential for data leakage via both inbound and outbound channels. What’s more, GDPR mandates shared responsibility for the security of information, making sharing and receiving unauthorised information a real pitfall for any organisation’s compliance efforts. The occasional piece of stray data may seem harmless, but the risk it poses to businesses becomes severe when you take into consideration how this information is handled.
Whether its credit details, spreadsheets containing customer or employee data, or a document containing personal details, if this information is sent to, or received by an unintended recipient, or even inadvertently published to a website, it can lead to serious violations, making a company fall foul of GDPR. In order to minimise the threat this poses to an organisation, there are a number of key areas which can be addressed.
The first is your people. There is a necessity in the early stages of GDPR to keep your employees as up to date as possible with new policies, processes and findings. This includes ensuring they are aware of the ramifications of sharing sensitive data via emails. Ultimately, training your staff in best practices for handling data should stimulate a sense of data consciousness in the workplace, ensuring that employees are not a vulnerability in the organisation’s cyber defences.
The next step is to update the policies and processes the organisation has in place. Having clearly defined (and accessible) guidelines whereby employees can report incidents should they happen is vital to developing data security within your organisation and will ensure employees are aware that it’s okay to report an incident and who the right person to deal with it is. With correct processes in place and a course of action for employees to follow, organisations will have greater visibility and control over potential security incidents.
Technology is your last line of defence. Ensuring that the workforce is completely aware of the consequences of sending data to unintended recipients is the most vital to ensure this kind of activity is reduced. However, mistakes will always happen. All organisations need to improve their cyber security efforts in light of GDPR and there are a number of solutions that can mitigate the threat of mistakes happening. For example, Adaptive Data Loss Prevention (A-DLP) technology has the ability to automatically detect and remove sensitive data which breaks policy, as it passes through the network to significantly reduce data leaks across email without reducing the speed of communication.
It can also be used for web-based data sharing as well, ensuring that uploaded and downloaded information complies with corporate policy.. Advanced features can also enforce policies around specific pieces of information (rather than just documents), ensuring the IT department has maximum control and increased visibility of the critical data within the organisation and how it is stored and communicated. This can help identify potential breaches before they occur.
With GDPR so prevalent, both in the media and to every company specifically, it is vital that organisations use this public visibility to ensure their employees have an understanding of their part to play in compliance. It is not just a job for the IT department. Every person in the company must play their part in keeping the business within the EU regulations. Ensuring that emails containing sensitive data are not sent in error to the wrong recipients is key to mitigating this risk and maintaining compliance.