Sergio Bertoni
Leading Analyst at
SearchInform
71% of small and medium-sized businesses experienced attempts by employees to leak data, SearchInform research states. However, employees often leak data accidentally and without any malicious intent, for example, because of negligence or cyber illiteracy.
Today, establishing control over employees’ actions with data is a common practice, but it is impossible to ensure without specialized software – DLP systems, which have become a basic tool for protecting companies against data breaches caused by insiders. DLP systems are also used to avoid data misuse, improve the level of work discipline, and retain valuable staff.
Control within the Law
The employer has the legal right to control employees to protect sensitive information such as personal data, banking and commercial secrets, data collected by state information systems, and data in industrial control systems at critical infrastructure facilities.
For example, an employer is responsible for keeping passport scans and other documents of employees, the company’s partners, and clients’ data safe as well. This is enshrined in the laws of many countries, as well as in international legislation such as GDPR.
However, personnel must be informed that the organization where they are employed is using an automated monitoring system (like DLP). The fact that an organization uses specialized software for employee control must be documented in corporate policies.
Employees, in their turn, should be informed about what the protective system is used for, and sign a consent for their activity to be monitored.
For the employer it is necessary to draw up an additional agreement to the employment contract and outline all the tasks of using the system which could be the following:
● Oversee employees’ compliance with job descriptions and internal labour regulations;
● Control the appropriate use of the company’s information resources and technical means to fulfill job duties;
● Ensure protection of commercial, trade, official, and other secrets as required by national and international regulations.
The DLP systems are also deployed to maintain discipline and evaluate staff productivity.
In case of such system implementation in corporate IT infrastructure, the employer should take measures to avoid conflicts and misunderstandings between the team and management. Introducing corporate regulations on working with information will help solve this task. Besides, a separate policy on how documents need to be stored, and whether it is permitted to use clouds and personal email to communicate work-related tasks and other questions is a must. This way employees will understand what is allowed to do at work and what is prohibited for them. For example, an employer may not allow an employee to use a corporate PC for non-work related activity on social networks, storing personal photos etc.
What are the benefits of being monitored?
The issue is that employees often interpret various monitoring systems as excessive control and distrust. In this case, it is crucial to communicate to the team the advantages employees receive from being monitored by protective software. Providing employees with real life cases will help in this regard.
The first case from SearchInform practice proves that DLP systems help employees avoid being accused of a crime they never committed:
● The security department specialists found on the employee’s corporate PC confidential data that he did not have access to. Investigation revealed that the remote access tools were regularly run on his computer, however, the employee hadn’t noticed it.
It turned out that the network administrator temporarily stored confidential data on the ‘victim’s’ PC before transferring it to third parties. Thus, the DLP system helped identify the real intruder and save the honest employee from being dismissed.
71% of small and medium- sized businesses experienced attempts by employees to leak data, SearchInform research states. However, employees often leak data accidentally and without any malicious intent, for example, because of negligence or cyber illiteracy.
If our client did not have a DLP system, it would have been very difficult for the guiltless worker to avoid suspicion and prove that he was not involved in the data leak. Unfortunately, such cases are not uncommon.
In this way, modern control systems help to avoid situations when staff members need to justify themselves. In some organizations where DLP is not implemented, in the same cases, the employees may be required to undergo polygraphs or other stressful procedures.
DLP at employees’ service
There are major ways, how DLP system brings important benefits to the employees. Firstly, the DLP system reduces the risk of accidental data leakage, which could lead to sanctions against the employee. The system is equipped with proactive blocking functionality, which is fine-tuned by an Information Security specialist. The feature reduces the chances of confidential documents intentionally or unintentionally leaving the company’s information perimeter.
DLP also notifies the user (InfoSec specialist or another professional in charge) about suspicious employee activity.
In addition, DLP systems can be equipped with the open mode of operation that empowers the user not to commit dangerous actions with the help of special notifications. It is also possible to customise alerts about dangerous actions or enable the user interface – a visible window on the taskbar so that personnel can communicate freely with the InfoSec professionals.
● Case: The employee of the research institute was preparing documentation containing data from clinical trials of the drug. Out of habit, he sent the documents for review to a former manager, who at the time was already working for a competitor. The incident that occurred by mistake severely damaged the reputation of the institute. However, it could have been avoided if the DLP was deployed.
Secondly, DLP ensures confidence that all incidents will be investigated objectively and thoroughly. This applies not only to prevent false accusations but also to verifying complaints from employees about arbitrary behavior by the company’s top management.
● Case: One of our clients, a retail company deployed a DLP system. Then, a suspicious email to the CFO from one of the dismissed employees was found. Ex-worker accused the CFO of taking full advantage of the CEO’s trust to fire valuable specialists without a legitimate excuse.
The email also contained references to former employees who had been dismissed not for labour violations, but simply at the will of the CFO. After the investigation was conducted, he was fired.
Thirdly, the DLP feature of monitoring employees’ activity provides an employer evaluation of their productivity. It helps staff members to build their reputation and distribute their workload correctly. When users get DLP notifications that someone is overworking, they can take relevant measures – lighten the load, reorganize work processes, and reward those who work harder than others.
Today, establishing control over employees’ actions with data is a common practice, but it is impossible to ensure without specialized software – DLP systems, which have become a basic tool for protecting companies against data breaches caused by insiders. DLP systems are also used to avoid data misuse, improve the level of work discipline, and retain valuable staff
There is one unusual case from our experience related to productivity monitoring:
● Case: About 100 employees worked in the office, and everyone was valuable for business. With the help of DLP, the company noticed that one of the employees was taking much longer than his colleagues to complete projects (2 weeks instead of 3 days).
At first, management assumed that the employee was working for a competitor, but the DLP system found out the real reason – the employee did not know how to use several functions of the computer-aided design system, so it took much longer for him to fulfill the tasks. He was sent for training to improve his skills and productivity. Thus, the DLP helped the company to get a more loyal and skilled employee.
Outcome
The above-mentioned cases show how security solutions help organizations retain valuable specialists and protect the interests of employees. All the management needs to do when implementing a control system is to communicate properly the benefits and necessity of its deployment to the team.
There is a global trend today to build corporate information security systems with employees’ involvement in the process. This approach aims to provide workers with resources, and knowledge of potential threats, and to create awareness of the importance of their role in ensuring data protection.
Following this trend, some security solutions, including DLP systems, already have functionality that helps employees assist information security specialists in combating data-related incidents and reducing potential risks associated with human error.
