Industry View

Five Ways to Turn Employees into Security Assets for Protecting Data

Trend Micro's Glen Kosaka explains how to prevent data leaks by raising security awareness and gaining employee support

By Glen Kosaka, director of DLP products, Trend Micro

May 06, 2008 —

Never before has the threat to corporate data assets been so great—and so costly. According to Attrition.org, an industry monitoring organization, in 2007, more than 162 million records such as credit cards and social security numbers were compromised through December 21—both in the U.S. and overseas. The Identity Theft Resource Center lists more than 79 million records compromised in the U.S. through December 18, 2007. That's nearly a fourfold increase from the 20 million records reported as compromised in 2006.

The explosion of messaging systems, wireless networking, and USB storage devices has made the protection of critical enterprise data even more difficult than it was before. Increasingly, enterprises are operating as "borderless" organizations, sharing information globally between employees and partners. These borderless enterprises are challenged to balance openness and flexibility with security and risk as employees work from home or in coffee shops and other off-site locations when they travel. However, most breaches and loss of sensitive data are caused by employees who are uneducated and therefore inadvertently put their company at risk. Because most breaches are accidental, companies have an opportunity to better protect enterprise data by educating employees on the proper handling of information.

Here are five ways to turn employees into security assets instead of liabilities:

Make data security part of the company culture
Protecting sensitive information should not be the sole responsibility of the security and executive teams. Every department manager has the responsibility to help identify and locate sensitive data, and to propose policies for the appropriate access, use, and protection of that data by employees. Each employee who has been identified as having access to sensitive data should undergo training on the policies and procedures which define responsible care for the company's data. In this way employees and managers alike share the responsibility for not only their own use of sensitive data but also can serve to watch over others to ensure that everyone is observing these policies.

Integrate data leak prevention processes into overall workflow
Many companies have lost control over their sensitive data because the identification, access to, and movement of sensitive data is not integrated into their overall processes. For example, when new documents or content are created, is there a classification process to determine the appropriate policies which apply? Or when employees join a department or transfer between departments, are processes initiated for data protection and access controls for new and prior departments. In addition, the introduction of new mobile devices or remote development sites can introduce new threat vectors for data leaks. When companies think through their core processes, and incorporate data protection steps as appropriate, the risk of data leaks is reduced significantly.