How to Encourage Employees to Comply with Data Security Measures

While 55% of data breaches are perpetrated by malicious outsiders, 25% are due to accidental loss and 15% are by malicious insiders. If your employees are not complying with data security then there are some steps you can take to help mitigate for this. Here’s how to encourage employees to comply with data security measures:
55% of data breaches perpetrated by malicious outsiders, 25% due to accidental loss & 15% by malicious insiders. Click To Tweet

Why employees choose not to comply with security measures

A CISCO survey of employees in 10 different countries revealed that 44% of employees would share information in an unauthorized manner as they “needed bounce ideas off people” while 30% said they “needed to vent”, and 29% didn’t believe they were doing anything wrong. Here are some reasons why employees might ignore security measures:

• Sometimes employees just ignore security protocols to save time or just because they can.
• Employees often share their work device with family members, as it’s cheaper that buying one for themselves.
• Disgruntled or unhappy employees may intentionally put company data at risk.
• Employees often prefer to use their own personal email accounts, even if doing so violates company policy.
• Sometimes data security is so stringent and un-user-friendly that people look for ways to save time, especially if they are under pressure to deliver.

Recommended reading: 50 Startling Data Breach Facts Every Business Should Know

11 Scenarios of Employees Sharing Personal Data Incorrectly 

1. Sending personal data to the wrong email address

Without care, employees can accidentally send personal data to the wrong email address.

Use a share platform where you can revoke the send instead of email clients. Often if you try to recall an email on an email client the recall won’t work.

2. Sending personal data on an email attachment that is unsecured

Are your employees sending any personal data on email attachments? Are these attachments even password protected?

Sending personal data by attachment is not a secure way to send. Screen outgoing emails that have attachments to make sure personal data isn’t being sent this way.

3. Taking Customer Data Home on a Laptop or USB

Make sure your company policy states that no personally identifiable data files should be kept on laptop or USB.

Staff training should include the fact that customer data should never be downloaded and taken home. Monitoring and regular audits will help keep tabs on this.

Recommended reading: 11 Mistakes Employees Can Make When Sharing Personal Data

4. Using Personal Email Accounts to Send Data

Employees sometimes prefer to use personal email accounts or forget that they shouldn’t.

Update your company policy about sending data via personal email. Remind staff in your policy that the company can legally monitor anything they access using the company’s computer system, even their personal email account.

5. Transferring Sensitive Information Using Unsecured Communication Channels

Could your employees be using messenger or software chats to send personal data that might not be secured?

If required, offer a secured chat software and make sure your staff training covers why it is important not to share any personal information on any unsecured chat platforms.

6. Sharing Work Devices and Data with Non-employees

Often employees who work at home sometimes let their family use the laptop. Can people access data if they are not authorised?

Ensuring employees don’t take personal data home and that accessing any company systems from home is done through encrypted methods is at least helping to safeguard unauthorised access.

7. Using Personal Devices

Many employees now use personal devices to check work emails, access work platforms, etc. How can you ensure that the devices are safe and secure? What happens if they leave the company and still have access on their devices?

Have a “Bring your own device agreement” as part of company policy, where you ask employees to sign a “bring-your-own-device” agreement if they want to use personal devices for company work use. This should essentially say, if you want the privilege of accessing our proprietary, confidential systems and the convenience of accessing those systems on your personal device, you’ve got to waive your right to privacy, Many employers reserve the right to monitor the employee’s activities on the device and to remote-wipe the device if there is a security risk, for example, if the device is lost or stolen.

8. Sharing via Cloud Drives

Are your employees using Google Drive or Dropbox or other cloud based drives to share any data on customers etc? You cannot be 100% sure that data stored on these cloud services is stored in the EEA so unless your employee knows for a fact where the location of their shared file is and can 100% be sure that all fully encrypted levels are in place then this could open your company up to problems.

Your company policy should include not using public cloud drives for sharing any data on customers.

9. Leaving Confidential Information Unattended

If an employee leaves confidential information on screen unattended, anyone – other employees, office visitors, even cleaning staff could steal that data by taking a picture with their phone.

Privacy screens should be on every work laptop and desktop defacto with password login.

10. Receiving Data from Suppliers or Partners in an Unsecured Manner

Suppliers and partners may not send data securely so employees might end up receiving personal data files in an unsecured way.

Partner / supplier contracts should specify data compliance requirements and there should be a notification system inhouse to pass on details of when people receive unsecured data.

11. Leaving Your Organisation and Leaving With Data

If an employee leaves your organisation, could they potentially leave with data?

Make sure as part of the exit procedures that access is revoked and that personal devices are disconnected from access.

Recommended reading: 20 Steps for Taking Control of Personally Identifiable Information You Handle

What Organisations Can Do About Employees and Security Measures

Write down your procedures

When your procedures are written down in a way that’s easy to understand and implement, you automatically remove the opportunity for excuses.

Make them easily accessible

The policies and procedures should be easily accessible to every employee and part of onboarding new employees is that they read and sign that they have read them. They could be stored on your project management space or internal noticeboard, somewhere that is easy to access and read online.

Give your employees reasons to adhere

If your procedures are perceived as extra work, employees won’t take them seriously. Give your employees a deeper reason to adhere to those procedures. Let them know why you have them in place and why it’s necessary to understand and adhere to policies and procedures.

Reward compliance and guide non-compliance

Tell your employees very simply what compliance with company policies means. Reward compliance and guide stragglers. Checklists are good, where an employee has to simply tick off a certain task in a procedure after it has been completed.

Check compliance regularly

Check compliance regularly and monitor laptops and devices.

Use a secure sharing system

Use of a secure and encrypted share system like Rinodrive actually means that scenarios 1-5 can be easily avoided.

Make sure data is encrypted At Rest and In Transit

Making sure all personal data is encrypted both at rest and in transit will help mitigate against accidental loss.

Make sure Data Retention Policies are put in place

Ideally these should be automated through your data management system so that data is only kept for as long as it is required to be kept for.

Strict access privileges

Make sure only those who require access are given access. And if they leave the organisation that the access is revoked.

Regular staff training

Not only to emphasise good practice and behaviour but to ensure there’s a culture of care about and respect for personal data.

Exit procedures for employees leaving

Your exit procedures should make sure access is revoked and personal devices are disconnected.

Recommended reading: How to Take Control of the Personally Identifiable Information You Handle

What has your company implemented for employees sharing data? Have you had any instances of these scenarios happening and how did you deal with them? Tell us your thoughts in the comments below. 

Join our conversation ‘all about data’ on Twitter and LinkedIn. And keep up with what’s going on in the world of data by trusting us with your email for monthly mailings (and we store it on Rinodrive so it’s super safe).