There is a lot of uncertainty in today’s tech world. Every day brings another layoff announcement. Whether voluntary or involuntary, “leavers” are understandably seen as a risk. One study found that 40 percent of employees take data with them when they leave a job.
That presents a risk to the former employer, of course. It also presents a risk that person – a “joiner” – brings that data to their new employer. Pegasystems learned this the hard way when they hired a developer from Appian. Appian claimed the developer used Appian’s trade secrets to improve Pegasystems’ products. A jury agreed and ordered Pegasystems to pay Appian over $2 billion as a result!
Diligent employees are the first line of defense in protecting sensitive information. Employees need access to this data to perform their jobs. It exists on their endpoints and phones. They share it through email, slack, zoom, cloud apps, and other channels. People become desensitized to the importance of data that they work with every day.
Understanding how to use it carefully to protect inadvertent data leaks starts at onboarding not when people are changing jobs. Annual training events simply don’t work. One does not learn to speak a new language, fly a plane, or play a musical instrument by focusing on the task once each year. Why would good security habits be any different?
Contextual training – providing precise feedback on a specific situation – is particularly effective. In data loss prevention, an example is when an employee is attempting to download a file containing Personally Identifiable Information to a USB drive.
Contextual training would pause the activity and display a message explaining how this activity puts sensitive data at risk (along with a reminder of company policy).
Labeling documents can help users understand their role in protecting data. But remember, the classification of a document doesn’t last forever. An earnings announcement is highly sensitive prior to its release, and public information thereafter. A spreadsheet with patient identifiers and diagnostic codes is subject to HIPAA. Remove the patient identifiers and it no longer is covered.
When considering DLP solutions, look for those that classify data each time a user accesses it. This approach avoids false alerts common in legacy solutions that require pre-classification of all data within the organization.
Many data protection solutions are little more than employee monitoring technologies. Taking an approach that protects user privacy, provides guidance on why data protection is important, and enlists their help in the process is more effective. A positive security culture begins and ends with trust, making it less likely employees will take actions that would put data at risk when they are joining, leaving, or moving within an organization.
Change is inevitable. Employees will look for advancement within and outside organizations. Economic upswings and downturns will impact hiring and layoffs. Data protection strategies that respect privacy and prompt contextual reminders of when data is at risk provide security guardrails protecting data and allowing users to be productive without blocking activities.
If you want to learn more, check out the Fireside Chat between Next DLP’s Tom Cope and Chris Denbigh-White.