Employees after leaving a company can take sensitive data with them intentionally or unintentionally. The harm caused by such incidents are huge. Consider example of an employee of the FDIC who exposed 44,000 FDIC customers’ personal information. She had downloaded the data to her personal storage device. More such data breaches can be found across the industry.
According to the survey by Veriato, a provider of employee monitoring software, third of participants believe they own or share ownership of the corporate data they work on and more than half feel it’s fine to take corporate data with them when they leave a job.
“The potential damage from even one employee taking confidential and proprietary customer data, software code or login credentials with them to a new job, especially with a competitor, is astronomical,” Veriato COO Mike Tierney said at the time.
Companies can potentially defuse such data threats.
It’s crucial to focus on what really matters in protecting sensitive data, said AvePoint product analyst Ben Oster. “You can have all these policies in place, but if HR lets somebody walk over and plug in a USB drive after they’ve been let go, it doesn’t matter,” he said.
Oster provided the example. “She plugged her drive in and just copied a folder that she thought was her information, and it turns out it wasn’t. The issue is not that she was able to copy that data; the issue is that that data existed outside of anyone’s knowledge of where it was.”
“If we can’t actually break down how to discover it or classify it, we can’t start to put things in place that say, ‘You can’t take this document,’ because we don’t know what’s in it.”
“You really need to get in there and figure out what that is, because if you don’t, you’re going to see things get even fuzzier,” he said.
Companies can take holistic approach to data loss prevention. Michela Menting, research director at ABI Research mentioned that the good data loss prevention (DLP) solution can be key to protecting your data.
“DLP systems act as enforcers of data security policies by performing deep content inspection and a contextual security analysis of transactions,” Menting said. “They provide a centralized management framework designed to detect and prevent the unauthorized use and transmission of confidential information.”
AvePoint’s Oster mentioned that the strong security awareness training program can help to great extent.
“As consumers and employees, we need to be more aware of what we’re doing with data, what that content actually means, and what the privacy and compliance implications are of everything we touch on a daily basis,” he said.
Encryption is the key to the problem. One can start encrypting the content with relevant softwares.
“If you’re encrypting every single piece of information everywhere, the workload becomes larger, it becomes harder for your end users to use that data, and you’re actually more likely to drive them onto a system that’s not under your control,” Oster said.
And once employees start saving corporate data to their own Dropbox or OneDrive, you’ve lost track of it. “So while encryption can protect the data when it’s in motion or at rest, anything that makes it harder for your end users to get their jobs done likely pushes them toward a solution that you don’t want,” Oster said.
“We saw a case once where a company terminated an employee, and then HR walked them back and let them plug in a USB drive — and they promptly took 20 GB worth of information,” Oster said. “It doesn’t matter how good your information security is if HR is letting them do that.”
Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.