Before companiescan educateemployees about the risk of customer data loss, you have to understand what behaviors that put your data at risk.
A Cisco Systems survey identified the following as some of the most common behaviors behind data leakage:
- Unauthorized software installed on company computers
- Personal use of company computers
- Giving access to unauthorized visitors
- Working remotely from an unsecured location
- Misuse of passwords and login information
It's important to address all these common behaviors with your employees to ensure they know the dangers associated with violating company policy.
1. Start at the Top
Executives and managers need to be personally responsible in their computer and data use. Not only do their actions provide a model that other employees in the company will follow, their greater level of permissions may make data breaches through their use more severe. And because executives and managers represent the corporation at a higher level, their misuse may expose the company to greater risk of lawsuits.
They may resist it, but every executive and manager in your company must be taught the proper way to handle customer data, and must take responsibility for modeling that use.
2. Limit Access to Customer Data
When you are training managers and executives, make sure you ask the question: Among the people you supervise, who actually needs to access customer data? Then limit access to the people that actually need the data.
Every person who has access to customer data is a potential source of risk. Limiting those people limits risk.
In addition, people who don't use customer data in their work may not know or forget that they have access, which may make them less careful in their handling of data. For example, if an employee only works with a non-identifying part of a large record, they may forget that other parts of the record contain sensitive information. When necessary, separate data into secure and open portions.
Limiting access is also important when it comes to company mobile computers or smartphones. Whenever possible, don't put secure customer data on laptops. Don't let employees access secure data over unsecured connections. And don't let employees check out computers unless they have a real need to use them.
3. Teaching Should Never Stop
It's important to train every new employee on data security protocols. Make sure they know what's expected of them and have them sign a pledge to keep data secure.
However, it's important to remind employees regularly about their data security responsibilities. Give regular refresher courses. They can (and should) be brief, but make sure you get the point across. Also, give training whenever policies change. Don't count on an email or memo to get the point across.
4. Give Targeted Training
Making everyone sit through a general security meeting where only part of the training is relevant encourages everyone to tune out. You can't expect people to perk up for their part of the training.
Instead, give multiple training sessions tailored to the information security needs of each job. This allows the sessions to be shorter, and everyone will know that all the information is relevant, which will improve attention and retention.
5. Count on Human Frailty
Despite all the training you give, expect that a significant percentage of people will violate company policy. Cisco's survey showed that 52 percent of people who altered security settings on their computer did so willfully in violation of their company's policies, with 35 percent of them saying that what they did on company computers was none of the company's business.
Cloud-based security solutions help you protect customer data even if your employees tend to be less strict about following protocols. They can force-out password changes, limit access to customer data, and even add additional security when employees are using work computers for personal use (such as social media).
Don't let casual disregard of customer data cost you reputation, money, and customers. Enlist every employee in keeping customer data safe, and be prepared for when they fail to uphold their commitments.