Easy ways data may be leaving your organisation – without your knowledge

Cyber Serious

13 December 2019

Data privacy is a non-negotiable in today’s workplaces, but it can be complex and difficult to implement and monitor – meaning not all organisations are up to scratch. In some cases, confidential data might even fall into the hands of cybercriminals without anyone even knowing. Consumer and employee data is a growing motivator for hackers and virtual intruders, and according to the Office of the Australian Information Commissioner, within the last year there has been a 700% increase in data breaches in Australia.

Ben Wonson, Principal Consultant at KJR, speaks on the importance of keeping data secure. “Having good security practices is important to maintain the trust people give your company” – with the amount of data people might not even know they’re giving to an organisation, keeping it secure is simply “an employee’s responsibility as a good corporate citizen”. As it stands, many Australian organisations haven’t properly prepared for data theft and  are open to a breadth of cyber threats.

Even with cybersecurity measures taken to avoid intruders, risks can still be present in the workplace simply through human error. As a direct result of employee actions, data can leave the organisation and become exposed in the public domain without staff even recognising what they’ve done.

Here’s a look at some common workplace mistakes that open the door for data breaches.

Security certificate failures

When companies handle their sensitive data through a corporate website, it’s necessary for the data transmission to be encrypted. Sylvia Choa, KJR Cybersecurity Principal Consultant, explains, “to facilitate a trusted connection, most companies obtain security certificates which uniquely identify them as a trusted entity”. After all, there’s no point having encrypted communication when you’re not sure who you’re connecting with.

If a certificate expires however, “the protection that comes with it will vanish” – meaning the encrypted connection won’t be available. When security certificates aren’t in place or aren’t renewed in time, data can be transmitted in an unencrypted form. Consequently, company websites can be compromised – meaning a higher likelihood of data breaches happening.

Emailing confidential data to external accounts

As Ben explains, “human error comes into play when, unawares, an employee emails or sends sensitive information to an external address or uploads it onto their cloud storage services without the proper security measures in place”. This means data is sent out of the organisation with the risk of it being shared further through secondary, less secure sources. An employee might upload customer data onto their Dropbox account, for example, which may be connected to their phone or personal computer. The risk this poses for a company’s security is exponential. A lost or stolen phone can provide direct access to corporate data. A personal computer might be more easily hacked, being outside a corporate network and without protection from malware. Similarly, a personal Dropbox account can be compromised if suitable password practices haven’t been maintained.

This is a very common occurrence of human error in the workplace – which is why most mature organisations have content filtering systems installed to prevent access to external services. As well as this, they also tend to educate staff on the risks of using such services to further prevent human error.

"Having good security practices is important to maintain the trust people give your company."
Ben Wonson, Principal Consultant, KJR

Lack of security awareness

If staff members are unaware of the workplace restrictions regarding sensitive information, curiosity might just take over when accidentally discovering confidential information. When incorrect or excessive access permissions are granted and an employee logs onto their account, suddenly able to view previously inaccessible files and data, what’s to stop them from peeking? Or worse, sharing!

While antivirus and cybersecurity measures can be taken by companies, ensuring employee awareness of these risks is essential for eliminating human error. Ben suggests it’s important to create a “mental connection” for employees to help them understand how unsecure online practices at work can affect themselves and their workplace.

Allocating roles and responsibilities to employees for developing and maintaining proper security practices within an organisation is essential. Sylvia recommends applying the principle of least privilege (POLP) and “sharing data on a need-to-know basis” as the best way of providing employees data, as this restricts the amount of data that can accidentally leave the company through human error.

General poor practices

Adding to this, if employees aren’t aware of cyber safety practices, they might endanger their company by falling for phishing scams, using poor passwords or letting unauthorised users access their work accounts (usually through shared devices).

Obviously rectifying these practices adds an extra layer of protection, making employee security awareness essential in preventing human error at work.

Where does stolen data go?

Once an organisation’s data is in the public domain it can find its way into the hands of competitors or media outlets, sparking unwanted headlines. In crueller cases it could end up on the dark web, where data can be bought by malicious entities. An experiment conducted by bitglass in 2015 followed a series of fake employee data files as they leaked them onto the dark web. Within 12 days, the data had already spread to 22 different countries and was viewed nearly 1,100 times. Adding to this, a recent research report completed at the Ponemon Institute indicated over 50% of organisations take “weeks” to fully confirm a data breach has been contained, meaning there’s plenty of time for important information to be spread and sold. Once data has been stolen, it can end up anywhere and can lead to identity theft and financial loss for both employees and customers.

As well as protecting data privacy, businesses need to consider the importance of data on a reputational and financial level. We’ll explore this further in our next article, covering the impact stolen data can have on organisations, employees and consumers, as well as the steps to take in such a scenario.

For now, recognise the importance of human error as your company works to maintain a secure data holding. After all, no employee wants to be responsible for a data leak that could directly impact hundreds (or thousands) of individuals.

KJR has been successfully combatting risks in the virtual realm for over 21 years. Collaborating with clients and specialising in cybersecurity services, our consultants successfully keep companies on top of threats and provide quality cybersecurity awareness training. Our team can also monitor and minimise your organisation’s level of online vulnerability.

Think your organisation needs cybersecurity awareness training? Contact KJR today for a quote. Or visit our Cybersecurity service page for more information on our expertise.

KJR is an Australian technology-focused strategic advisory firm specialising in cybersecurity, devops and digital assurance solutions.

You may also like