Data leak-proof environment – how to get there?

Business and organisation data flows through official and unofficial channels, such as email, instant messaging, printers, and cloud solutions. If employees fail to treat the data reasonably and the company or institution fails to implement the appropriate solutions, they may easily lose it. Learn the 10 most important rules to prevent data leakage within your organisation.

Internet criminals' attacks or malware are typically the most spectacular and notorious cases of corporate resource theft. In most cases, not only the organisation itself is affected by the data loss, but also countless individuals or entities. However, internal threats and data leaks resulting from reckless or deliberate actions by employees are an increasing problem. According to a Ponemon report, the number of such incidents has doubled (an increase of 44%) in the last two years! More than half of them were caused by the irresponsible behaviour of employees, and 26% of data loss cases were employees' intentional behaviour.

How do companies lose their data?

According to the US National Cyber Security Alliance, about 60% of small businesses close within six months of a major data breach, and as much as 85% experience a data breach. The costs of such events are often calculated in millions or tens of millions. The motivations of the so-called "malicious insiders" to misuse company data may result from the willingness to harm the company, a chance for additional earnings or the desire to build their career. Employees may also be negligent and accidentally send data outside the company. Most internal hazards are unintentional and arise for various reasons, such as hybrid work and using your own devices as part of the popular Bring Your Own Device concept, or BYOD. Employees are often unaware of security processes, and network administrators do not have the appropriate tools to oversee data flow and capture potential risks.

Internal Hazards Examples

• Hospital in Gliwice – data of patients who used SARS-CoV2 swabs leaked. Among others, names, surnames and PESEL numbers were lost. Experts do not doubt that fraudsters can use patient data to take out, e.g. unwanted loans.
• Wronki City Hall – one of the office’s employees copied the data from a computer. Among them were names and surnames, residential addresses or PESEL numbers, as well as documents related to residents' settlements or rental of municipal premises.
• Coca-Cola – In 2018, it turned out that an employee that was quitting had an external hard drive containing information stolen from Coca-Cola. When the problem became public, the company sent infringement notices to about 8,000 people whose data had been copied. An ex-employee took them when they were leaving the company.
• Trend Micro – the company experienced a data leak by an employee who had access to a customer service database containing names, e-mail addresses and service request numbers. The dishonest employee sold sensitive data to an external party.

How do I protect myself from data loss from within the company?

Regardless of what data the organisation processes, there are several universal ways to protect sensitive information.

• Perform an audit and find all your sensitive data. It's good to know what data your company is working with, where the data is stored, and who has access to work with it and can edit it.
• Implement policies that specify how sensitive data can be handled, who can access it, and for what purpose. Make sure the rules are easy to understand.
• Educate employees and explain the importance of data security. They should be aware of what data the company is dealing with and the consequences of their misuse.
• Encrypt the most critical data and ensure that the data remains secure even if the equipment is lost or stolen.
• Monitor new and departing employees - check the past of new employees. Create a safe process for leaving the company to ensure that departing employees do not take any data. If you suspect violations, keep an eye on them and control what data they have access to and if they need it.
• Allow only authorised devices – control what data carriers are connected to the company's equipment. Combined with the appropriate file classification, this will make it difficult to copy sensitive data outside the organisation.
• File sharing sites, social media, and instant messaging - block data transfer or notify employees of risky operations.
• Email - limit sending data to unknown external e-mail addresses, and notify employees about a potential violation.
• Internet, cloud, O365 – limit data transfer to unofficial channels outside the company and notify employees.
• Printers – Check what documents your employees print based on contextual information. You will discover potential data security breaches and limit the ability to print documents with sensitive data.

The above steps will increase the level of data security in your company. However, this will be difficult without appropriate software, such as DLP solutions, which work in the background of the entire environment.