Just as soldiers and government employees can electronically download and distribute secret and confidential information, so can employees who have access to electronic data, in any workplace.
Today’s digital storage of information and electronic communication simply makes it easier and faster to disclose substantially more. Some individuals who transfer confidential, private and secret information for worldwide dissemination may be motivated by noble intentions. They believe in the best interest of everyone by blowing the whistle on a company. But the greater risk for private companies comes from disgruntled employees and those about to be fired.
Many of these employees are disengaged from their jobs. Think of them as the employees who are present in the workplace, but absent from their work. Employee disengagement is a major risk for theft and distribution of unauthorized data — especially among IT employees. The more access an employee has to information at your company, the greater the risk.
There is no absolute 100% secure way to prevent all possible breaches of, theft of, and accidentally unauthorized distribution of private, secret, personal, and confidential information. However, there are many steps that businesses and organizations can take to defend against leaking and other types of data theft and unauthorized information distribution.
Here are ten steps to secure private, personal, confidential and valuable data:
1. Establish and nurture a culture of trust and fairness among employees.
2. Develop hiring procedures that:
3. Tighten internal electronic data access control. Information should be provided to employees only on the basis of need.
4. Destroy, on a regular maintenance schedule, older stored data that is no longer deemed necessary. Consult with your attorney and your accountant to develop guidelines and a schedule so that deletions conform to legal and accounting requirements.
5. Monitor employees’ electronic activity and investigate abnormal behavior. Look for access during non-work hours, large downloads and employees who obtain information that may not be required.
6. Proactively track who is accessing what information on the network. Compare the activity to what individuals should be accessing. Many organizations also scan outgoing and incoming e-mail. Audit the information employees are accessing remotely and the data being turned over to outsiders, third-party individuals, companies and contractors.
7. Overlap the responsibilities of multiple employees, who work with (or have access to) sensitive data, so they can observe each others activities. This would be similar to having two or more employees overlapping in dealing with financial recordkeeping to decrease the opportunities for embezzlement.
Having multiple employees overlapping duties is a must for any organization committed to data security. No one person in the IT team should have sole responsibility for a given system, platform or application. This requires cross-training of individuals and ensuring that the individuals regularly rotate responsibilities.
8. Adopt written policies and procedures about use of, and access to, your electronic and digital equipment and systems. The policies and procedures need to deal with what is allowed, what is prohibited, and the consequences if an employee misuses or wrongfully distributes information, records, and documents. Distribute the policies and procedures to all employees and obtain their signatures verifying they received, read, and understand the policies.
9. State clearly in the policies that former employees will no longer have access to private, sensitive, and confidential information. This especially means that former employees are not given access to employer-issued or employer-owned computers, laptops, other data-bearing devices, or paper documents.
10. Communicate regularly, at least once a year, these policies and procedures to all employees.