Vendor View: Matt Lock, Director of Sales Engineers at Varonis shares advice on why aren’t work devices a safe haven for PII and how to protect employees from themselves
Organisations always have ultimate responsibility for the security of data on their systems. However, when it comes to keeping their own information and data secure, employees are often their own worst enemies.
Ask any worker about their personal data management habits, and you’ll very likely find they have regularly used their work device to store personally identifiable information (PII) about themselves, either on the machine itself, within their emails, or on the company network.
From event registration details to a forgotten scan of their passport, most devices are ripe with personal data that could cause a major security incident for both the individual and the company if it falls into the wrong hands.
In one instance, we found an employee had saved a file to their user drive with the full details of everything you could imagine, from account passwords to addresses and maiden names. The list was evidently created as an “in the event of my death” type document to thoughtfully let someone access and resolve their various accounts if anything happened to them. Unfortunately, the individual had failed to consider what would happen if a hacker or unscrupulous colleague opened the file in the meantime.
Why aren’t work devices a safe haven for PII?
It's easy to understand why an employee would use their company email or allocated folders to store PII. We all accumulate a multitude of accounts throughout our lives, so it stands to reason that someone would choose to document all these details. All logic suggests that the corporate network is more likely to be secure compared to a personal computer or device.
However, this sense of security is often false as many organisations have a poor grip on how files are accessed, and most still have the majority of their folders set to open access; a recent survey of 130 organisations found that 58% had more than 100,000 folders open to all employees. This means that, in many cases, employees can access everyone else’s personal drives and files, creating a PII and data control nightmare for organisations.
The problem is exacerbated by the introduction of the GDPR. The new regulation doesn’t make any distinction between a user’s own PII and information owned by the company. This means that in addition to leaving themselves vulnerable to having their information stolen or exploited, users who leave PII on enterprise resources are potentially adding fuel to the fire of any security incident.
An additional challenge is created by the use of personal devices for work. Officially, these are usually mobile or tablet devices rather than a full laptop or desktop device, but some users may still send work-related content over to their personal devices off the record. In either case, if a personal device is not properly managed and secured this can lead to a serious breach.
Also of interest: Cyber breaches: are millennials to blame?
How do we protect employees from themselves?
A lack of awareness is the major cause of these employee-created risks. Most employees have no idea they can reach each other’s files until they stumble into them, and are not aware of the risks created by leaving PII on their systems. Collating important personal data in a single place is quite a useful and practical step – as long as it has been stored securely.
Ultimately, the onus is on the company to know what data they have on their systems and they should take the initiative to inform their employees of the risks of unsecured PII – whether their own or that of customers – and provide practical advice on dealing with it correctly. For example, all work-related data on the system should be saved to properly secured areas or deleted as soon as possible. Additionally, whilst its now common place for companies to tell employees not to save personal information to corporate file shares, organisations should still regularly conduct searches of its file stores to identify, classify and flag any potentially sensitive information.
Employees should also be made aware that the company has the right to inspect company emails at any time, including any personal activity they may use it for. Likewise, all personal devices being used for work should be registered as official BYOD devices and implemented with Mobile Device Management software that can allow it to be managed or erased in a security emergency. Companies also need to ensure that sensitive enterprise data is never sent to unsecured, unregistered personal devices.
Companies should also implement a least privilege approach to access permissions. This means that employees can only access the files and systems they need to do their job. Limiting access to sensitive information is particularly important, as this will drastically reduce the risk of critical data being exploited by both malicious insiders and external hackers.