In every business, it’s an acknowledged truth that your biggest risk will always be your own employees. Retail businesses see this and focus their cameras at the cashiers, not the customers. Companies that manage healthcare information impose restrictions on what their employees can and cannot see and can and cannot discuss, to make sure that they are HIPAA compliant.
As a business, it’s important to realize that your employees may be putting your business data at risk, not through malice, but simply because they don’t understand what they’re doing.
You need to take precautions, but you need to make sure that they’re not so Byzantine that your employees give up entirely.
Data in motion is data in danger
Every employee has had that moment where they realize that they’re going to need to finish up a project over the weekend. It seems like common sense to email the document to themselves so that they can keep working at home, right?
But doing this exposes your data to many problems. Home computers usually have far less strict security measures in place, meaning that it could be stolen or corrupted while it’s outside of your control. It’s also possible for it to come back to the office with malware or a virus that compromises your network.
If your employees regularly need to work from home, make sure they have a dedicated work laptop that can travel back and forth with them, and is subject to the same malware and virus controls that the rest of your network has. If this is a one time project, offer them overtime or secure home wirelesses connection, and ask them to stay at the office to get the work done.
Understand why employees use workarounds
A survey on Huddle estimated that half of surveyed employees had used their personal email to send a work related file, even though they understood that it was against regulations. Why? Not a lack of understanding of how to use the in-office methods, but because their intra office email would not allow an attachment of sufficient size.
If you want to prevent data loss, then you need to understand how and why it happens. If your system doesn’t allow your employees to do their jobs, but the jobs still need to get done, employees will find a way to make that happen.
Instead of relying on thumb drives, emailed files, and other easy to lose data methods, consider a server where employees can store and safely access large files from work devices. This can be a physical server in the office, but many companies that don’t want to staff a full IT department are choosing to contract an offsite cloud based service.
Control information appropriately
What is the process in your business for logins and other password access information being removed from the system after an employee leaves or is terminated? What is the time frame in which that needs to happen? What checks are in place to make sure it does happen? Who is responsible for removing access to those who no longer need it? What happens if that person is the one whose access needs to be revoked?
A business that is carefully protecting its data will have answers for each of these questions. One of the most easily closed information loopholes is inappropriate access. When that loophole is closed, there are fewer opportunities for disgruntled employees to steal or attack the systems that keep information safe.
Keep mobile devices safe
Many employers request that employees don’t bring their mobile devices to work, which is ridiculous. No matter how inconvenient it is for data security, we live in a world where everyone has a portable computer in their pocket.
However, it is very reasonable for employers to request that employees use work devices for work projects. It may mean that employers need to provide those devices, to make sure that malware and virus controls are sufficient for the information that they need to protect. But it’s a better policy than barring mobile use.
When you’re designing IT policies at work, it’s important to remember that you’re creating policies that need to be enforced by people. If you don’t create policies that respect that your employees are responsible adults, it’s much more likely that they’ll ignore the policies.
And if you don’t believe that your employees are responsible adults, then you need to ask yourself: Why did you hire them in the first place?