When data moves off a trusted network, it may be a default response to assume malicious intent is involved. We see news headlines about employees stealing data, and as a result we're conditioning ourselves to leap to the conclusion that data leaks are typically malicious. In some cases, it could turn out to be intentional theft, but when it comes to data spilling off the network by our trusted employees, we should take time to dig a little deeper to learn more — especially because cases of data exfiltration are very often due to employee error or negligence.
The vast majority of your employees are well-meaning, hard-working people who never intend to create a cybersecurity problem. In fact, in 2020, 17% of all data breaches were caused by human error, double the amount that occurred in 2019.
Maybe a new employee adds their personal iCloud drive to their work device to make their personal information more readily available, not realizing there is a default setting in place that ends up automatically uploading company data to their iCloud account. Or a team member working remotely during the pandemic might access a file from their personal laptop when their work computer isn't loading. Either way, the employee didn't intend to cause a problem. For security teams to conclude the employee intended harm isn't going to prevent future data loss.
In fact, assuming employees want to steal your intellectual property or trade secrets pits your security teams and employees against one another and could contribute toward unnecessary security-related stress. We need a better approach, one that begins with presuming your employees are just trying to get their work done and that their actions come from a place of positive intent.
Building a positive intent security culture begins on an employee's first day at work. Bake security into your onboarding process, even if you only discuss it for five minutes. Use that time to set the tone that your security team isn't out to get them and that you need employees' help to protect company assets. You should also lay the groundwork for how employees can best work with the security team: Where do they go if they need assistance, have questions, or need to report any issues or concerns?
It's also essential to provide regular, effective cybersecurity training that positions your employees as security heroes rather than adversaries. Instead of just focusing on malicious data theft, educate your team on common ways data is unintentionally leaked to raise awareness and prevent it from happening in the future.
As with any training, you also want to make sure that it sticks. How do you do that? Make the training itself engaging. Change up the format and make it interactive when possible. Pitch your phishing exercises as security challenges where they can work to increase their score of not clicking and reporting the test emails — and be transparent about why you offer phishing training. We typically give new employees a heads-up that we'll be conducting phishing tests, not as a trick but to help them learn to recognize and report suspicious emails. We can't expect them to be great at something they never get a chance to practice.
Transparency goes a long way in both directions. At Code42, we also ask our employees to alert us when they have a business or personal reason to move or share a file. For example, a departing employee recently notified our security team that they were planning on transferring some personal photos they had saved on their work drive to a personal drive. This proactive behavior is helpful because it could shorten investigation times and allows our security team to suggest more secure transfer methods, such as an encrypted drive.
There's still the chance you might encounter an employee maliciously exfiltrating data. It is still best to approach every data leak with the assumption that the person behind it had positive intentions since that is often the case. When reaching out to an employee about a security misstep or error, the language and wording you use can go a long way toward showing you are there to help and making the employee feel comfortable and willing to work with your team.
For example, if you notice a suspicious file transfer, you can send the employee a note along the lines of "We noticed a file transfer to a personal email account. Can you confirm if you're aware of this?" — instead of "We received notice that you transferred a file to a personal email account, so we are locking down your computer." Or if someone has not completed a required security training, you can say: "Our records show your security training is overdue, can you confirm?" More often than not, this will lead to a response from the employee asking where to find the training, indicating it's an education/communication issue instead of negligence.
Security problems can cause a lot of stress, both for employees and security teams. We need to rewrite and strengthen the security narrative to emphasize that most employees are well meaning. Doing so will show employees your team views them as trusted security partners and will allow the business to be more efficient and proactive about their security approach.