According to Dell's "End-User Security survey," almost three out of four employees polled said they were "willing to share sensitive, confidential or regulated company information." Now, that's a lot of employees.
But no business owner I know wants his or her company's information leaked, so defining "confidential information" to employees, and making sure the meaning is clear, is crucial.
"Confidential" means information that could harm a business if outsiders discovered it. And, today, of course, most of this information is stored and transmitted digitally. In some industries, such as health care, this confidentiality is legally defined, and new employees coming on board might have to sign an agreement promising not to disclose it.
In other industries, "confidential information" is more of a gray area; it could be certain customer information at a professional services firm or production processes in manufacturing.
Without detailed examination, an early impression of the Dell study might suggest that disgruntled employees are willing to throw their companies under the proverbial bus at an alarming rate -- but this isn't exactly the case. Employees in the survey responded that they would share confidential info only under certain circumstances, which included authorization by management or circumstances in which they felt little risk was involved.
Of course, besides intentional sharing, employees often leak confidential information by accident. Inadvertent leaks are probably the most common ones because systems aren't as secure as they are assumed to be, leaving data exposed. An employee might also fall victim to a phishing attempt. A look at IBM's 2015 Cyber Security Intelligence Index highlights the fact that 95 percent of cybersecurity incidents examined in that report stemmed from some form of employee mistake.
With that in mind, here are three steps you can take to help keep confidential information private:
1. Get employees up to speed.
More than 66 percent of data leaks logged by InfoWatch Group in 2016 were brought about internally. Relevant here is the fact that FINRA, an organization that reviews how firms comply with regulations regarding confidential information, has listed a lack of proper training as one of the top cybersecurity weaknesses in business.
In fact, training is essential, especially given the fact that not all leaks are intentional. Businesses need to educate employees on what constitutes confidential information (employee information, customer information, proprietary business information, etc). This education also needs to be more than a companywide email; depending on a business's size and culture, the training could be an interactive online activity, a company webinar or a simple series of meetings covering what the team needs to know.
Employees are at the heart of the issue, but it's your company's responsibility to give them access to the tools they need to keep information confidential and train them in how to use these tools most effectively.
2. Encrypt sensitive emails.
Nonencrypted emails are like a door to your business's information that's been left ajar. Email encryption, however, designates which recipients have access to particular emails, preventing sensitive information from reaching unintended recipients.
This level of security is critical for many businesses' emails -- even personal emails are being encrypted more often today -- but companies as a whole stand to improve their practices. According to Echoworx's recent study on the state of encryption, only 40 percent of organizations surveyed are using email encryption extensively. For the remaining organizations, that's a big hole in their business's confidential information.
Once your company has educated your team on what confidential information means, this step should come naturally. Simply ensure that your employees know to encrypt any email with sensitive data. There are a variety of tools that let businesses do this, such as settings integrated as part of existing email services to third-party software that plugs into an existing email service.
3. Make security systems easy to use.
Organizations such as Deloitte University Press, the University College-London and others have all noted that user experience sometimes falls to the back burner when it comes to security. That shouldn't be the case -- the easier a system is for employees to use, the more likely they'll use it the right way, keeping private information within its borders. Using security software that doesn't take the user experience into account is akin to using less secure protection, so it's vital that your organization use security measures that your employees understand.
Achieving this is as simple as having a couple of conversations with key individuals. For instance, you need to discuss a system's ease of use with your vendors; if the vendor can't answer confidently, that system might not be a good fit.
Another way to make sure your security system is accessible to your employees is to test out tools with your team members and gauge their responses through post-test surveys, meetings or informal chats. Did they stumble through navigating a system even after some practice? Can they find what they need easily?
Overall, is your system helping keep information secure, or is it just requiring them to jump through hoops? Getting an idea of how your employees feel using a system will tell higher-ups how a system will fare in the long run.
Part of your responsibility when it comes to security is having procedures in place for handling confidential information. Knowing what information could potentially harm your organization is key to protecting it, especially when one in three employees take corporate data with them when they leave, according to Dell's study.
Often, the most effective precautions seem the most basic, but focusing on eliminating weaknesses through employee training and email encryption is a great way to close large security holes and reduce the risk of an information leak.