Danny Boice on Protecting Your Business from Data Breaches
Hi everyone. I’m Danny Boice the Co-Founder and CEO of Trustify. Today, I'll tackle about Protecting Your Business from Data Breaches as part of our Truth & Trust Lifecycle Series.
Protecting Your Data
You might be feeling that no matter what you do or how much money you spend on protecting your network, a ticked off employee could simply circumvent the system by being on the inside. However, you actually have more power than you might realize in protecting your data.
Most people have a false sense of security when they’re using the internet. Personally, I actually assume that anything I write—whether by text message, email, chat, or otherwise—is being backup up and replicated in multiple places throughout the internet. Of course, it’s great to know your information is being backed up if you’re fearful of losing it, but it’s not great if that means a hacker can access it. I just assume the worst, that everything could potentially be seen, and I act accordingly.
As an employer, you can use this false sense of security if you need to check on an employee. It’s funny how employees don’t really consider the information that can be shared online. I remember when one employee was saying too much on Slack. She was messaging coworkers about how she was abusing Ritalin or Adderall at work. She was writing, “I’m not doing any work today. I hope Danny and Jen don’t notice.” She didn’t ever stop to think that we might be backing that stuff up. Once we saw there were issues, we looked into it.
Another disgruntled employee had been taking screenshots of our internal messaging platforms. This employee was about to get her review, and we suspect she thought she might get fired. We caught her red-handed, downloading screenshots of customer information and investigatory cases to her personal Dropbox account. She was doing this on our work computer, and we seized it when her download was literally mid-transfer. It doesn't get more red-handed than that.
Valuing face-to-face communication can also help protect your data. We’re relying too much on chat and email for every single thing. Of course, there are many reasons to interact in person from a psychological and relational perspective, but it’s also important for security. Face-to-face communication is likely the safest way to communicate. Yes, you’ll need to do a little extra work of taking notes or bringing someone along to have a third party present if you’re worried about needing documentation, but the extra work is worth it.
Whenever new technology emerges, everybody wants to use it for everything. It becomes a tool that is used even when it’s the wrong tool. So today, everybody is using long form emails or text to communicate something that would be much better communicated over the phone or face-to-face. As we reflect on what we’re doing and the pendulum starts to swing back, we’ll admit that some things should not be done purely electronically. Sensitive communications, for example, should always be handled in person. In the worst-case scenario, they should be done over the phone.
Face-to-face conversation also allows you to spot particular identifiers that might reveal an employee is disgruntled. You can learn to be more aware or teach supervisors to be more aware of what employees are talking about. You can have “ears on the ground,” so to speak, so that you can quickly know when someone is unhappy. A good supervisor should be able to recognize when an employee is not performing as well as they have in the past or when the employee is having unnatural swings. Of course, you don’t want your supervisors to be paranoid, but it never hurts to be more aware of the status of each employee.
Some changes in employees are less obvious. Sometimes, you have to be more observant to be able to see when an employee is becoming unhappy about something outside of work or disgruntled about something inside of work. Interestingly, one of the most telling qualifiers for people who may be prone to dishonest activity is when their blind carbon copy (BCC) usage goes up in their emails. When somebody starts BCCing themselves or others, that’s an indicator that they are becoming unhappy and are going to leave or do something against the business.
If someone’s use of paid time off and vacation suddenly changes, that can also be a huge red flag. Oftentimes, that means they may be pursuing another job. Employee engagement studies have shown that when employees don’t feel they are getting what they deserve, they are less likely to do good work.
You might be surprised to know how few companies take time to monitor conversations and statuses of employees. For example, many companies today use Slack for internal messages, but they don’t know they need to turn on compliance reports to be able to have a record of what everybody has said. Things get more complicated with Google apps. You have to really know what you’re doing to be able to go in and pull people’s emails. It’s not as straightforward as you might think. In theory, you are legally allowed to do this, at least in most states. However, most companies aren’t pulling information in a way that is actually relevant. For example, if you don’t know that BCCing is an indicator, you would never know to pull that information.
It’s impossible to keep all of your employees happy all the time, but you can at least be prepared to protect yourself from losing data if one does become upset. A final simple way to do this is to put in place best practices for IT security. Understanding who has what access and to what level is a good starting point. Who has admin rights on what account? It's too easy for small companies, who outsource a lot of this stuff to the Cloud, to never check this. Every company, no matter the size, needs to go back through and audit who has admin rights and access to internal information of any kind. By doing this, you might suddenly realize that there are thirty admins for every account. They all have access to everything.