29/09/2014

By Martin Sugden, MD, Boldon James


The annual August getaway has been in full swing but with sun now setting on the summer holidays, employees are tearing themselves away from the beach and heading back to the office. While businesses are well aware of the issues around covering holidays and keeping productivity levels high during the summer months, keeping corporate data secure is not given the attention it should. Whether it is that employees are checking into the office remotely via their mobile devices whilst by the pool or they are caught in the post-holiday blues that comes with an over-flowing inbox, the potential is there for the information contained within the businesses being sent to the wrong person or not being appropriately identified. With the proliferation of BYOD, remote working and an increasing culture for never switching-off, corporations need to be especially vigilant about protecting themselves against potential data leakage or loss.

So what are the potential risks associated with accessing and sharing information remotely on holiday or when just back in the office? And what measures and best practices should businesses be undertaking to prevent critical business data making it into the wrong hands?

The impact of careless data security

Over the last year we have all witnessed the fallout from highly publicised data loss or the inadvertent situation of making sensitive information public. Loss of data can mean hefty fines from the Information Commissioners Office (ICO), damage to corporate reputation and loss of revenue. The running theme throughout these incidents, and many others like them, is that all of them were easily preventable and indicate a lack of good data security awareness and practices amongst staff. Whilst everyone makes mistakes, it is the organisations and their officers that are penalised, so they must put in place robust strategies and technologies to ensure that sensitive data is not inadvertently lost or leaked.

Getting over the post-holiday blues

Returning from your annual break away usually means facing an inbox bursting with requests and matters to be solved instantly. Your co-workers and customers have been beavering away in your absence and now that you are finally back they understandably want a timely response. After deleting the spam, how do you tackle the remaining 900 emails? You either admit to yourself that the day will be spent tirelessly going through the emails, reading, weighing up the response and drafting a thoughtful answer or you quickly reply to all of them in the morning, because you have a meeting to get to in the afternoon.

Let’s face it; most people aren’t match-fit for a couple of days after they return from a break. Mistakes are made when we’re tired from flights or under pressure to clear that holiday backlog, and so the propensity to release data either to the wrong recipient is high.

However the issue goes much further than this. When you add in the tendency for staff to check emails from the beach on their mobile devices, or send last minute emails while waiting in the departure lounge, risk of mistakes and data loss is further increased. A recent survey by Travel Republic, an online travel agent, found that half of those questioned checked work emails while on holiday and 26% of those who did, reply to them. While there is no doubt that employees have the best intentions in keeping on top of workloads and staying contactable, I wonder how many employees are actively thinking about the danger of inadvertently sharing sensitive corporate data with the stranger eating peanuts next to them in seat 2B?

How do you protect staff from mistakes?

One of the best ways to ensure that data is effectively protected right from the outset is through data classification. Data classification empowers users and businesses to assign a value to the data they create and handle, in the form of a label, so that informed decisions can be taken about how it is managed, protected and shared. A safety net is established helping prevent sensitive data from being distributed in error and enforcing data security policy and best practice across the organisation. These labels can also tell you what is trivial or important, even before you have opened it so that attention can be paid to the business-critical stuff.

Employees have to interact with partners and customers for a business to succeed. They are the front line of the business, but without adequate training and education they can become the weakest link.

User-driven data classification captures the user’s knowledge of the context and business value of the data, which is then stored as visual and metadata labels on messages and documents, and can range from something as simple as ‘Confidential’ labels to a label which restricts the access to a particular piece of data to a pre-defined group of people; for example the board or the legal team. This means that the user’s assessment of the importance of the data can travel with it, so everyone handling that data downstream is clear as to its sensitivity and safeguarding requirements. Involving a user in the process of identifying and classifying data increases their understanding of the nature of such content and its safeguarding needs.

Whilst there are a number of initiatives in the industry, such as the impending EU Data Protection Directive, which aims to highlight and educate businesses on the importance of good data security practices, the responsibility for educating staff will always remain firmly in the hands of the company. Technologies that empower users to take ownership of data security, such as data classification, will help organisations succeed where others have failed. Meaning you can rest assured the business’ sensitive information isn’t being shared with the wrong person should your employee’s head still be at the beach whilst their body is in the office.

Do you have controls in place to help your staff get over the post-holiday blues?