6 ways employees are putting your company's data at risk

Most of the time, employees aren't knowingly risking data leaks, but casual behavior can end up costing your company

1 2 Page 2
Page 2 of 2

Opening documents in third-party apps: Millennials are twice as likely to use their own phones and tablets for work, and while working on the go is great, opening sensitive data in mobile apps like QuickOffice, Dropbox, or Evernote isn't great for your corporate data security.

"We define our VPN policies such that employees can connect remotely but get access to sensitive data/reports only through tradeMONSTER authorized devices. However, for emails etc., we make sure sensitive documents are kept in a shared location that is access-controlled," says Sahoo.

"Opening documents in third-party applications presents some unique challenges related to putting corporate data at risk. The first risk is sharing data with third parties, including applications like Facebook, Twitter, Evernote and Dropbox. While employees may naturally use caution when forwarding emails, the 'Open In' functionality is much less obvious, and they may be leaking data using 'Open In' unintentionally. A second dimension exists on the Android platform, where there is an increasing possibility that malware will play a role. Applications that impersonate trusted applications could be the recipient of confidential data when users open documents using the impostor," says Fiberlink's Lingenfelter.

Sending company data over personal email addresses: Eighty-four percent of respondents reported sending sensitive data via their personal email addresses. "Many times programmers view several security policies such as not being able to use personal email addresses, USB drives, etc. as a hindrance to their productivity. Transitioning them to a risk-aware culture, keeping morale high while keeping them motivated and creative is one of the toughest challenges a CIO can face," says Sahoo.

Using file transfer apps: You've got to send a coworker a file that's 40 megabytes, but you keep getting an error on your mail program saying the file is too large. That's a typical scenario that could find employees circumventing policy to get the job done.

[ Related Story: IT Resume Makeover: How to Tell Your Career Story ]

USB thumb drives, smartphones and tablets: In a recent survey by Symantec, 62 percent of respondents said that it was acceptable to transfer work documents to personal computers, tablets, or smartphones. The majority of these files, according to Symantec, are never deleted because employees don't understand the risks involved with keeping them.

Research from Fiberlink sheds some additional (and troubling) light. Fifty-one percent of employed U.S. adults surveyed who have personal smartphones/tablets use these mobile devices for work-related purposes, and a third of those who responded said that they have lost a USB drive with confidential information on it.

Data and IP theft: Symantec's survey revealed that half of employees who either left their position or lost their job in the last 12 months kept confidential company data to use with their next employer or business. In a recent article Robert Hamilton, director of product marketing at Symantec said, "Trusted employees are moving, sharing, and exposing sensitive data in order to do their daily jobs. In other instances, they are deliberately taking confidential information to use with their next employer."

Tackle the digital security challenge

In these situations, there is no way for the company to ensure that data is removed and/or deleted and that represents more than a few challenges for IT security and policy makers. One solution says Lingenfelter is to prevent data loss through third-party apps. "It makes sense to restrict use of these apps on mobile devices in certain circumstances, depending on your industry or corporate security policies."

The answer says Sahoo: "Make employees understand the goals and risks to the company, which in turn will encourage them to act accordingly. 'Entrust' not 'enforce' works like a charm. Ignorance is avoided with training, and intentional violations are avoided by creating a culture of trust and respect within the organization."

That said, security like many aspects of the tech market is a moving target. You've got to understand the inherent risks and put policies in place to minimize risk. "With technology changing so much, it is very difficult to constantly scope all aspects of securities for employees, hence it is an evolving process," says Sahoo.

This story, "6 ways employees are putting your company's data at risk" was originally published by CIO.

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
How to choose a low-code development platform