According to a statistic by Boscom research, a whopping 85 percent of employees have admitted to taking company documents and information when they leave a business. This means that more than half of companies have experienced attempted or realized data theft by corporate insiders over the past 12 months.
Thus, the most common method of data theft is not the orchestration of elaborate hacks or data breaches; it isn’t the setting up of systems of secret cameras and microphones. Data is most commonly stolen by simple copy-and-paste. The most common perpetrators? Corporate employees.
Of course, this is only possible if these employees have access to sensitive data. If data is properly protected and encrypted, your leads, customers, and their data are safe from compromise.
Data is the new oil – it is more precious to your business than gold. So, where to begin your data-protection regimen? Start with the places where data flows the most freely in and out of the company: client phone calls, phone numbers, and e-mail addresses.
Encrypted Data and Communication
Using encryption to protect phone numbers and email addresses is the best way to avoid internal theft. If these simple pieces of data are hidden from sight, employees don’t have direct access to client’s contacts. In turn, means that they can’t steal client contact information and use it for their own purposes.
In other words, encrypted data has no value – it can’t be sold. Even if someone did manage to sell a chunk of encrypted client data, years would pass before it could be decrypted and used. Of course, it’s essential that your employees are able to continue their work without difficulty even without direct access to clients’ contact information.
So, the key here is to find a reliable solution that will encrypt all sensitive data and still allow your employees. Sounds impossible, right? It isn’t.
For example, you can use VoIP Providers (Voice over Internet Protocol, ie Skype) and auto-dialling applications for calls – with these tools, pieces of data like phone numbers will be hidden from an employee, but the employee can still easily connect with the client.
Email addresses can be encrypted and protected by including special mail servers that convert a client’s real email address into the alias one. The employee will not see a customer’s real email address, but he can still contact the customer without a hitch.
These levels of encryption and data protection can be a heavy undertaking if your company doesn’t have the resources necessary to hire a third-party service to implement them. Even if you don’t have the ability to fully encrypt your clients’ data so that it’s out of your employees’ sight, here are some simple-yet-powerful tips for data protection:
Practice “Least Privilege”
The policy of “least privilege” operates on the assumption that all data is off-limits to a given user unless that user is explicitly given access to it.
Data should only shared with employees on a “need-to-know” basis: unless a user has a demonstrated need to have access to a particular file, she or he shouldn’t be granted access to it. This is particularly important given the severity of the consequences related to leaked data under the GDPR.
Put Data Security Policies in Writing
You may think that it should be obvious to your employees that they should not take home or email sensitive data outside the internal network without explicit permission. However, unless you put such policies in writing (and have workers sign in agreement), you may be hard pressed to penalize them for violating that.
Policy – the simple truth of the matter is that unwritten rules are much more difficult to enforce. The policies you create for your company should be specific and give examples of what’s prohibited.
For example, unless you spell it out, workers may not understand that emailing a company document as an attachment to someone outside the network (or even to their own home account) is a violation of policy, just as bad (or worse) as copying that document to a USB drive and physically taking it out the door.
Set Restrictive Permissions
Unfortunately, you can’t depend on policies alone to protect your data. Simply telling employees what they shouldn’t do won’t prevent some of them from doing it anyway. Therefore, the next step you should take to keep your data safe is to set the appropriate permissions on data files and folders.
Data on Windows networks should always be stored on NTFS (New Technology File System)-formatted drives. This gives you the ability to apply NTFS permissions along with any share permissions. NTFS permissions are more granular than share permissions and apply to users accessing the data on the local machine as well as over the network.
Following the principle of Least Privilege, you should give users the lowest level of permissions possible for them to get their work done. For example, you can grant “Read Only” permissions to prevent users from modifying files.
Restrict the Use of Removable Media
One of the most popular ways to sneak digital information out of an organization is by copying it on some sort of removable media or device. USB thumb drives are inexpensive and easy to conceal; high-capacity SD, CF, and other kinds of flash memory cards can hold a huge amount of data. Users can also copy files to their iPods or other MP3 players or to CD or DVD writers.
To prevent data theft via hardware transfer, you can permanently restrict the installation of USB devices by removing the ports physically or filling them with a substance (keep in mind that you won’t be able to use USB drives for anything if you do permanent damage to them.) You can also use software to disable the use of removable devices on each individual computer or throughout a network.
Access Management System
Again, the first (and perhaps most vital) thing you should implement to protect yourself is the principle of Least Privilege. Even with the best cybersecurity technology that money can buy, the simplest way to decrease the number of leads-thefts is to create a clear access policy and to implement it to your CRM system. The fewer the number of people that have access to your data, the less vulnerable your data will be; it really is as simple as that.
However, there is one more important thing to consider–even if you don’t give data access to all of your employees, some of them (for example, IT employees) may still have access to it. So, the ideal way to save data is to be the sole holder of your database key.
Therefore, the head of the firm should be the only individual with full access to all of a company’s data. Other employees will get partial access to the data on a need-to-know basis. Further, user roles must be specific and hierarchical. The manager who holds the main access to all the resources will assign access-rights to sensitive data to other employees based on their role in the organization.
All other employees and callers get minimum access to sensitive data–this is where using encrypted phone numbers and alias email addresses comes into play. If you use a click2call dialler, the caller will not see the number he dials; this access can be extended if needed.
Notification and Alerting
Data-access alerting and logging enables the manager to track all activities involving leads. Ideally, if a system is breached, the manager will see which pieces of sensitive data were accessed and by whom; additionally, the manager should ideally know how many calls were made and how many emails were sent.
If your system allows you to customize alerting on the specific activities, it will help you to decrease the number of insider thefts. For example, if one of your employees opened 300 contacts in 1 hour, this could be a sign that they are attempting to copy the database. If your alert system is correctly configured, these kinds of incidents can be prevented.
Rising to the Challenge
Some of these rules can be quite challenging for firms as they require special in-house development; if possible, solutions can be implemented by a 3rd party provider that is able to meet the necessary requirements.
In the current landscape of internal thefts cases, it seems that firms are gambling with destiny. The problem is not in unreliable employees, but in a management system that leaves too many vulnerabilities. Empower yourself: be aware of all the ways your data can be compromised and take steps to protect against them.