Risk of data leaks high as employees unsure about confidentiality
One in four employees are at risk of sharing confidential work-related information due to a lack of knowledge, new research has revealed.
Research from KnowBe4 found almost a quarter of employees are unsure whether the information they are working with is confidential or not. This means that information that ought not to be shared with others outside the organisation risks leaking out, without the employees being aware of the hazard.
Research director Kai Roer says the results indicate poor training and follow-up by management.
"Managers have a responsibility to train their staff to treat the information they are working with in a good way," says Roer.
"That as many as a quarter of employees are unsure about this indicates a considerable failing in many companies."
If confidential information falls into the wrong hands, it could harm the company in a variety of ways. Some information could be market sensitive, some could impact the organisation's reputation or breach data privacy regulations, while leaked log-in information could give cybercriminals access to business critical internal systems.
According to the research, there are considerable differences between different business sectors. In the construction, education, transport and retail sectors, as many as 34–35% say they are unsure about the status of the information they are working with.
In banking and finance, on the other hand, the proportion is down at 16%.
"We also see the same tendency in the annual security culture report," says Roer.
"Sectors like banking and finance are, on the whole, more used to dealing with confidential information and probably have better routines and procedures for this.
"We see a clear link between the various aspects of security culture. The organisations that do well in one area, generally also do well in other areas," he says.
"Unfortunately, IT security is equally important for everyone, regardless of business sector. This has been demonstrated by a series of cyberattacks in Norway over the past year."
A great many workplaces include non-disclosure agreements, specifying what can and cannot be shared, in their employees' employment contracts.
Roer says these figures indicate that the issue has generally not been properly explained to or followed up with employees.
"When someone starts a new job, they are given access to a lot of information. It is the manager's responsibility to follow up and ensure that their employees are confident in their role and know how to handle the information they encounter," he says.
"It is equally important to ensure that employees handle confidential information correctly as time goes on. It is not enough just to provide training when people join the organisation."
Constant follow-up and training in the practice of IT security is needed to refresh employees' awareness and keep them up to date with the latest developments.
"Cybercriminals are working constantly to develop more cunning methods of attack," Roer says.
"In addition, things can happen within the company to change the situation, which employees must be made aware of."