Information Security Awareness for Data Loss Prevention: Making Your Case

Rachel Gress

09.19.2019

What would you do if your data security team told you they had just noticed an employee sending an email that contained more than 100 nine-digit numbers in a spreadsheet?

You’d likely start asking some big questions:

  • Are they social security numbers?
  • Have we been breached?
  • How do we respond?
  • How can we prevent this from happening again?

This scenario is all too real. In the client incident in question, the InteliSecure analyst who responded to the security alert looked closely at the contents of the email and saw that the data in the spreadsheet appeared to be Social Security numbers buried in hidden fields. However, the analyst knew the activity was unusual for the division, and the user did not have a history of sending sensitive information. InteliSecure escalated the incident to the client, and after an internal investigation, the client determined the file containing obscured physician tax ID numbers had been sent unintentionally.

This story had a happy ending for all parties. But incidents like this one are often a wakeup call for an organization to take a fresh look at one of the most important elements of their data security program: information security awareness among users.

 

Users Are Your Strongest—and Weakest—Link in Data Loss Prevention

There are myriad ways for an attacker to gain access to your organization’s critical data assets, but often the most effective methods leverage the access that you’ve granted to legitimate users.

Users are a company’s first line of defense against data loss. Users can also be the reason for a data breach or loss. If you want to have a successful data protection program, it’s essential to take user education seriously.

All users—from machine operators to salespeople to consultants to executives—need to understand what kind of information they are handling. They also need to know how to protect, redact, and handle information at each stage of its lifecycle: creation, storage, use, and transmission.

In a comprehensive data protection program, user education can involve a variety of approaches:

  • Direct information: Users are informed about Acceptable Use Policies and data protection requirements when they join the company. They are given reminders at regular intervals and updated when any policy changes.
  • Automated response rules: Systems can be configured to allow or deny different types of data use depending on a user’s role in the organization.
  • Automated correction: Applications can deliver popup reminders to users when they attempt to use, store, or share data in a way that’s not safe—and give them a way to learn the right action to take.
  • Data security resources: Users can get access to videos or online support and tutorials to learn why an action was denied and see how they can use the data appropriately.
  • Hands-on training: Organizations may hold annual or semi-annual security awareness training and sensitive data reviews.

Embracing one or more of these employee education approaches can have a significant positive effect on a company’s data security. Ponemon’s 2019 Cost of a Data Breach report lists user education as the sixth most impactful means of reducing the financial impact of a data breach, on par with foundational efforts such as implementing and testing Incident Response plans and extensive use of encryption.

But for many midsize enterprises, convincing business leaders to invest in employee education programs and technologies might not be as easy as promising that unknown ROI. When you need a way to support your proposal for user education, your managed data protection services provider may be able to help.

 

Leveraging Security Metrics: UEBA and Human Monitoring Reveal Education Needs

When you need to make the case for formalizing your employee education efforts, it’s helpful to have information that backs up your request. When you’re working with a managed data protection services provider, that information may already be at your fingertips.

A comprehensive managed data protection program employs a combination of program-specific security policies, automated monitoring through user and entity behavior analytics (UEBA), and human triage and analysis of security incidents. Together, these elements eliminate false positive alerts and enable your company to focus on addressing the true positive incidents that represent potential threats.

All that behind-the-scenes activity generates extensive metrics about information security awareness in your organization. You can reveal insights such as:

  • Whether users are adhering to Acceptable Use Policies and internal guidance
  • What types of unauthorized data transmissions or uses are happening, and how often
  • Which departments or user groups are most commonly missing the mark
  • When user behaviors change and how they evolve over time

With these metrics, you can make informed recommendations about the type of user education that is most needed and where.

 

You Have the Right—and the Responsibility—to Address User Data Protection Processes

At InteliSecure, one of our goals is to empower our clients to understand that they have the legal power to employ governance when a user works with sensitive information in an unsafe way.

When a company has Acceptable Use Policies that all users are informed of, we recommend that the first step in information security awareness be remediation. When a suspicious event is identified, the company’s internal team can reach out to the user or user’s manager and determine:

  • Whether the user has permissions to access the data
  • How the data was transmitted
  • Whether the use was accidental or malicious behavior

If the misuse was accidental, educating the user is essential. If the action was malicious, the company can then choose a legal course of action with the user and take steps to mitigate any data loss.

 

Prioritizing Information Security Awareness Pays Off

When you have metrics backed by the experience of your managed data services provider, you can flip the order of those questions we asked at the start of this post, so that the most important question is at the top of the list:

How do we prevent data loss?

When you have data loss prevention as your top goal, you’ll find you have to answer questions about responding to lost data much less often.

With a strong program of user information security education, you’ll turn your users into a powerful security force.

 

Do you need better visibility into data use?

InteliSecure’s data protection experts can help you identify where your critical data assets are most vulnerable—and how to create a practical data loss prevention strategy. Contact us.