Cybersecurity: Don’t Treat All Employees the Same When Trying to Protect Data
Almost every senior executive worries about the loss of confidential data from their company. Whether criminals steal it or it leaks out by accident, there are far too many high profile examples to let anyone forget about the threat.
Away from the headlines, however, there are two crucial facts all execs should be aware of. First, the cost of these data breaches has risen nearly 15% since 2014 to an average of $4 million for the average large company and, second, a company’s own employees are by far the biggest source of these “privacy incidents.” CEB data from more than 5,600 employees across all industries and geographies show that almost 80% of employees exhibit behavior that could expose their company to significant privacy risks. And, worse than that, the data also show that senior executives can be the worst offenders.
Risk Profiles by Seniority
Data privacy teams are still fairly new in many of their companies, and so are still trying to establish the types of conventions, processes, and protocols that exist in far more established assurance functions, like Legal or Internal Audit.
What’s needed to help employees realize the risks of a data breach, and to understand the steps they should take to prevent it, can vary significantly based on role, function, and geography. This makes it difficult to create and deploy consistent and relevant guidance given the small teams and limited resources of most data privacy functions. So data privacy teams will benefit from a better understanding of the risks posed by different groups of employees, and moving away from employing a one size fits all approach.
1. Non-managers: Non-management staff are typically the largest employee group within any company, so they represent a high volume of decisions and behaviors that can have implications for data privacy. Despite their lack of seniority, they often have a significant amount of access to confidential information. For example:
- 61% can access their company’s proprietary information or trade secrets.
- 21% can access financial information about their customers.
- 20% can access employment information (e.g., salary, employment history) about other employees.
Given their level of access and the number of decisions they make, even minimal gaps in their data protection habits can generate a significant risk. Unfortunately, non-managers often exhibit behaviors that jeopardize confidential information. For example, 41% frequently leave confidential data unattended in accessible locations (e.g., desk, printer tray), and 42% frequently copy or e-mail confidential data to a personal device or account to work at home or on the road.
This behavior exposes the organization to privacy risk — most notably data breaches. To manage this risk, privacy teams should ensure all staff accessing confidential data know how to safeguard it and why. If you have not yet done so, launch a company-wide privacy awareness campaign, educating employees on appropriate behavior and providing resources to facilitate that behavior.
Additionally, certain groups require special attention because of the high-risk nature of their roles. These high-risk groups vary across companies, but two common groups are data analytics teams, which can create privacy risk through innovative uses of customer data, and HR teams, which hold the keys to payroll data, social security numbers or their equivalents outside the US, and other confidential employee information. You should provide targeted training and communication to these groups, preparing them for risky scenarios specific to their roles.
2. Managers: In general, managers have more access to confidential data than non-managers. This access does not indicate a proportional increase in risk, however, because managers’ personal privacy behaviors are relatively strong. Rather than solely considering the risk they pose personally, data privacy teams should focus on the fact that managers, through their influence on their teams, have an outsized impact on privacy behaviors throughout the whole company.
For better or worse, managers set the standard for privacy behavior, and their teams follow it. Teams legitimize their decisions based on examples set by their manager, and they prioritize competing interests — such as doing all they can to prevent a data leak and doing all they can to hit a quarterly sales goal — per their manager’s instructions or behavior.
In particular, three factors keep managers from helping their teams understand what the right behaviors are.
- Competing objectives: Managers may fear that diverting employee attention to explain why good privacy behaviors are important could jeopardize hard business goals (like the date of a product launch, or the drive to keep costs under a certain figure).
- Inadequate preparation when discussing data privacy: Managers may not fully understand privacy expectations nor how to demonstrate or speak about them with their teams.
- Overwhelming expectations: Managers in today’s work environment have large numbers of additional responsibilities, in addition to their core role, making it difficult to remember and prioritize data privacy.
As a result, managers are falling short. Only 50% of employees say their direct managers frequently talk about the importance of privacy policies, laws, and regulations, according to CEB data, and only 51% of employees say their direct managers clearly explain what is expected when it comes to data privacy policies, processes, and laws.
To improve how managers influence their teams, they must receive training — whether from Data Privacy or another function — that focuses on their role in privacy risk management. They also need talking points, sample communications, and other resources to help them engage with their teams. And finally, they need the right channels to ask privacy-related questions and escalate any concerns.
3. Senior executives: Data privacy teams typically worry about executives at the division head or vice president level not setting a strong “tone at the top.” And this is for good reason, as many employees do report weak privacy signals from their leadership.
For example, only 36% say senior leaders at their company visibly reward and celebrate examples of good privacy behavior around confidential information, and only 53% say senior leaders at their company frequently talk about the importance of following company policies, laws, and regulations related to confidential information.
An exclusive focus on tone at the top, however, is misplaced. While they do influence employee groups across the company, senior executives themselves should actually be considered a high-risk group. They can access more types of confidential information than lower-level employees but, surprisingly, they often have poor privacy behavior, failing to take adequate measures to protect this information.
For example, CEB data show that 35% sent confidential data to an unauthorized person in the past 12 months, and 24% would violate privacy policies to get work done.
Senior executives may compromise on their personal privacy behaviors because the consequences seem negligible compared to not hitting deadlines or business goals. Data privacy teams can use real-world examples to help execs understand the consequences of their privacy-related decisions. Positive examples can demonstrate the benefits of strong privacy behavior on business outcomes, such as customer loyalty, and negative examples can illustrate the financial, operational, and reputational costs of privacy failures — particularly those originating within a company’s leadership.
Data privacy teams should connect these positive and negative consequences to executives’ behavior, teaching them how to safeguard confidential data in scenarios they are likely to encounter.