IT walks a fine line between balancing security issues and giving people the tools they need to get the job done. Every day companies move sensitive data around and IT is in charge of securing that data, but what about the little things that tend to fall through the cracks?
According to data from several recent surveys there are a number of things your employees could be inadvertently doing that puts your company's sensitive data and information at risk.
A survey done recently by IPSwitch, an FTP software organization, includes some of the reasons employees are putting sensitive data into places where IT has no control over what happens to it:
- To circumvent file-size limits prescribed for work email
- Third-party mail is faster and has fewer restrictions than corporate email tools
- For use in their next place of employment
- They find it difficult to connect to work email when outside of the office
- IT doesn't monitor what they're sending via personal email
Sanjib Sahoo, CTO at tradeMONSTER says he thinks about security and customer privacy a lot. Working in the online brokerage portion of the financial industry, data is his company's life's-blood and as CTO he puts extra emphasis on the security of his data.
"We have to put measures in place to protect against the loss, misuse and alteration of the information of customer data and any other data which we control. At the same time, we put a lot of importance on our intellectual property, considering that we have numerous patents , granted and pending, for our technology and platform," says Sahoo.
This means new employees who might not be fully aware of risks and data policies need training in regards to the balanced culture of concern, awareness and trust. "We implement a strict security policy and access control policy when employees join [the company]," says Sahoo.
A recent survey done by Harris Interactive on behalf of Fiberlink highlights many of the challenges that today's IT departments are facing. In the survey, 2,064 U.S. adults were asked about their mobile behavior. Many of the behaviors below are done in a benign way in an effort to get the job done but they still could potentially expose sensitive corporate data.
Using Cloud Storage Services: More than 50 percent of people who responded to the Fiberlink survey reported uploading sensitive data to cloud services like Dropbox and iCloud. "Consumer file-sharing and synchronization services such as Dropbox are appealing to business users because they are accessible and convenient. However, it's those same attributes that make them a security concern for CIOs and IT professionals," says David Lingenfelter, the information security officer at Fiberlink.
Opening documents in third-party apps: Millennials are twice as likely to use their own phones and tablets for work and while working on the go is great, opening sensitive data in mobile apps such as QuickOffice, Dropbox or Evernote isn't great for your corporate data security.
"We define our VPN policies such that employees can connect remotely but get access to sensitive data/reports only through tradeMONSTER authorized devices. However, for emails etc., we make sure sensitive documents are kept in a shared location that is access controlled," says Sahoo.
"Opening documents in third-party applications presents some unique challenges related to putting corporate data at risk. The first risk is sharing data with third parties, including applications like Facebook, Twitter, Evernote and Dropbox. While employees may naturally use caution when forwarding emails, the 'Open In' functionality is much less obvious and they may be leaking data using 'Open In' unintentionally. A second dimension exists on the Android platform, where there is an increasing possibility that malware will play a role. Applications that impersonate trusted applications could be the recipient of confidential data when users open documents using the impostor," says Fiberlink's Lingenfelter.
Sending company data over personal email addresses: Eighty-four percent of respondents reported sending sensitive data via their personal email addresses. "Many times programmers view several security policies such as not being able to use personal email addresses, USB drives, etc. as a hindrance to their productivity. Transitioning them to a risk-aware culture, keeping morale high while keeping them motivated and creative is one of the toughest challenges a CIO can face," says Sahoo.
Using File Transfer apps: You've got to send a coworker a file that's 40 megabytes but you keep getting an error on your mail program saying the file is too large. That's a typical scenario that could find employees circumventing policy to get the job done.
Related Story: IT Resume Makeover: How to Tell Your Career Story
USB thumb drives, smartphones and tablets: In a recent survey by Symantec, 62 percent of respondents said that it was acceptable to transfer work documents to personal computers, tablets or smartphones. The majority of these files, according to Symantec, are never deleted because employees don't understand the risks involved with keeping them.
Research from Fiberlink sheds some additional (and troubling) light. Fifty-one percent 51 percent of employed U.S. adults surveyed who have personal smartphones/tablets use these mobile devices for work-related purposes and a third of those who responded said that they have lost a USB drive with confidential information on it.
Data and IP Theft: Symantec's survey revealed that half of employees who either left their position or lost their job in the last 12 months kept confidential company data to use with their next employer or business. In a recent article Robert Hamilton, director of product marketing at Symantec said, "Trusted employees are moving, sharing and exposing sensitive data in order to do their daily jobs. In other instances, they are deliberately taking confidential information to use with their next employer."
Tackle the Digital Security Challenge
In these situations there is no way for the company to ensure that data is removed and/or deleted and that represents more than a few challenges for IT security and policy makers. One solution says Lingenfelter is to prevent data loss through third-party apps. "It makes sense to restrict use of these apps on mobile devices in certain circumstances, depending on your industry or corporate security policies."
The answer says Sahoo: "Make employees understand the goals and risks to the company, which in turn will encourage them to act accordingly. "Entrust" not "Enforce" works like a charm. Ignorance is avoided with training, and intentional violations are avoided by creating a culture of trust and respect within the organization."
That said, security like many aspects of the tech market is a moving target. You've got to understand the inherent risks and put policies in place to minimize risk. "With technology changing so much, it is very difficult to constantly scope all aspects of securities for employees, hence it is an evolving process," says Sahoo.