Data is undoubtedly the most important asset for a company. Securing data in the digital era is like a tightrope walk for most organisations. Information leaks are becoming a common concern among a lot of small and large organisations alike. Intellectual property worth billions of dollars is susceptible to leaks, resulting in companies losing their competitive advantage in key emerging markets.
In a recent case, Google admitted that more than 1,000 audio recordings of customer conversations on Google Assistant were leaked by some of its partners to a Belgian news site. The information leaked also included audio files on important Google products in China, some of which were developed in partnership with the US military.
In the past, Google has had a reputation for openness, allowing employees wide access to documents and source code regardless of their job assignment. Now, following this information leaks, Google is starting to tighten its reins. In addition, it has also curbed the recording of its weekly all-staff meeting known as TGIF that is made available to all staff in perpetuity. The executives who attend are no longer taking live questions from employees at the meeting.
What is Information Leak?
An information leak refers to an event when confidential information is revealed to unauthorized persons or parties. Direct repercussions of such leaks can lead to a huge loss of revenue for your business. It can also hamper the reputation of your company where future customers may be reluctant to divulge information to your company and be apprehensive to work with you.
Companies can take proactive steps to protect confidential information and trade secrets by delineating the consequences of a breach and creating a dialogue with employees about these risks. Here are some ways to tackle information leaks:
How to Deal with Information Leaks and Protect Confidential Information
1. Establish Legal Compliance
Employees are legally obliged to not share confidential data of the employer. It is often useful to include clauses within the employee’s contractual documentation to remind the employees about their obligation. It is also important to include post-termination confidentiality clauses for information that is classified as a trade secret and other information the company may deem fit to protect.
2. Proper Training
Data leaks can happen purposely, accidentally or by mistake and through various mediums.
More than 66 percent of data leaks logged by InfoWatch Group in 2016 occurred internally. Relevant here is the fact that FINRA, an organisation that reviews how firms comply with regulations regarding confidential information, has listed a lack of proper training as one of the top cybersecurity weaknesses in businesses.
In order to minimize the likelihood of employees leaking confidential data, all members should receive proper training in handling company data. The training should encompass email use, data protection obligations, confidentiality outside of the workplace and more.
In addition, measures such as monitoring employee email accounts and Internet usage will help to determine where leaks are taking place. Employees should be informed in advance of this occurring.
3. Encrypt Sensitive Emails
Once your company has educated your team on what confidential information means, this step should come naturally. Don’t leave sensitive business information on the fly. Have email access protocols in place to designate which recipients have access to particular emails, thereby, preventing sensitive information reaching an unintended audience.
4. Control Access
For any information that is stored digitally, it is of utmost importance to have proper controls in place to ensure who can access what information using passwords, firewalls, and encryption. When using passwords, ensure that they are secure and changed regularly. Using easy to guess password is a mistake several employees make and you should sensitize and educate employees to keep your confidential information secure.
5. Endpoint Protection
The various machines that vital data passes through like desktops, laptops, mobiles, etc. require proper security in place. Endpoint solutions allow the administrator to control devices and see when information is accessed or downloaded. Since employees tend to store sensitive information including documents and emails in various devices, your security policies should govern the usage of all devices.
6. Assess Security Permissions
At times, users have far more access than they need. Adopting a Zero Trust approach to access privileges will aid you to limit the scale of leaks and prevent employees from accessing sensitive data they don’t require for their job function.
For instance, Google’s top legal executive has sent an all-staff email informing employees that accessing documents classified as – “need to know” without permission can result in dire consequences, including termination as well.
You should review your current security permissions and then create proper access policies to monitor data access points. At the same time, don’t impose blanket bans on employees. They also need timely access to data to perform their tasks.
How to Fix Confidential Data Leaks After a Breach?
When it comes to careless information leaks – inadvertent email errors or mistaking one person for another – employers should consider implementing Standard Operating Procedures (SOPs) so that employees can report such instances immediately. Mandating participation in data security workshops or online training modules can ensure increased awareness and compliance.
In addition, you can try tracing back information to the source who might have leaked the information. If there were too many people in the original confidential meeting, making a trace could be difficult. In this case, narrow down to a list of potential sources and stay alert to keep future information safe. Notify the authorities and seek professional help in order to comply with any legal regulations that may be applicable.
In circumstances where the employee is intentionally leaking data, it is best to take a prompt action through the formal disciplinary policy. Depending on the situation, the employer can consider intentionally leaking data as serious or gross misconduct and take action accordingly.
A reasonable investigation into the allegations and what went wrong should be conducted. A formal disciplinary hearing should be conducted with a thorough analysis of all perspectives. Finally, a decision needs to be arrived at after careful consideration as to whether the suspension of the employee is necessary or other measures to temporarily restrict access is necessary.
Here’s what you can do when you identify someone that reveals confidential information:
- Review and check if the employee understands the effect of the confidentiality breach
- Look over all the facts objectively
- Check your options and decide on action steps
- Take preventive measures
Information is Power
Strive to develop awareness across your organisation about the risk and consequences of information leaks to protect confidential business data. Part of the responsibility lies with the employer to make sure that there are proper security practices to handle confidential information.
Information is power and so it becomes very critical to protect information by taking the right precautions.