Until the news broke that Edward Snowden, a contractor, had stolen and leaked NSA classified files, it was unlikely that the business world considered the threat that employees represented to their data. Businesses have long focused on protecting themselves from outsiders, competitors, hackers and the like. Businesses understand that there are myriad ways that their data can be breached, exposed or corrupted. They also understand that the parties most interested in their data is their competition. As a result, the focus of data protection is to protect it from external threats.
However, a new report from Boscom research is turning this thinking on its head. The report states that a staggering 85 percent of employees have taken company information and even documents when leaving a company. If Edward Snowden was a shot across the bow, this report was a direct hit. This not only provides insight into the intention of employees, but worryingly exposes how easy it is for employees to steal a company’s data.
It is understandable that companies have trouble protecting their data from employees. Generally speaking, a company’s efficiency depends on the access their employees have to their data. At first glance, there is seemingly no way to restrict access to data without impeding business function. Most businesses when confronted with this issue have surely thrown up their hands and said that the problem is unsolvable.
To elaborate, let’s use the example of a brokerage. A brokerage has several layers of employees, each with different roles, responsibilities and data needs. Sales agents will require personal information and contact details of leads to perform their roles, as well as details of the current promotion. Affiliates, who perform a somewhat similar role, will need access to some of the same data, but not necessarily the same type of data. Marketing will require different data, as will Management. The picture that this paints is that the method of accessing data and the amount of data that is needed clearly varies between roles. Understanding this is a key starting point – recognizing that there is a method of controlling data flow that will both protect your data without impacting productivity. Data access should be limited in each role to “need to know” levels of information.
To be able to control data, your data needs to be stored in software that is able to recognize users and provide access control. Most CRM software has this capability. Because of privacy restrictions, many industries will be required to utilize some sort of data protection to protect customers from leaked data, meaning that most businesses will have this element in place already.
Encryption of data is another method of protecting and controlling access to client data. Nowadays, it is easy to steal data by taking a simple screenshot and sending the copy via email. If, however, the data is encrypted, there is no value in copying the data. What about a role where there is a need to contact a client, like a sales role? It is possible to allow the sales agent to directly contact a client without providing the contact details, by using auto dialing applications or VoIP (like skype).
These practical examples are only likely to be effective within the framework of a more integrated policy on data control. Management must implement a policy which addresses the specific areas that should be controlled. Putting this in writing and sharing the policy with employees is the crucial first step in allowing everyone to be on the same page. It is imperative to set clear and practical rules such as details of what can and cannot be attached to a document via email, restrictions on copying files to a USB, how to handle personal emails and the like.
Once this policy is in place, the accesses and restrictions should be integrated into the system and a means of tracking improper use put in place. Most software tools enable to create notifications of improper access, etc. In addition, certain protections should be put in place to make it challenging to remove data. Examples include storing data on Windows networks on NTFS formatted drives, providing read-only access restrictions and preventing employees from installing USB devices.
With proper preparation and the right structure in place, employee theft of data can be curtailed without hampering productivity. This will allow the business to protect itself from myriad data breaches, while keeping the trust between employees and employers in place.
Originally published in Counting Pips