It’s hard to read the news without seeing a story about the latest company to fall victim to a cyberattack. Not surprisingly, these headlines have gotten the attention of boards and chief executives who have responded by investing in stronger firewalls, more advanced detection systems and a larger IT workforce to guard their increasingly sensitive information.
While these investments are certainly necessary, they overlook an equally dangerous risk – employees. The Arlington corporate research and advisory firm CEB analyzed privacy failures across the past three years and found that a majority were caused not by external threats such as hackers but by employees within the company. Further, we found that these failures were largely unintentional – 59 percent were caused by employee mistakes while 38 percent were caused by weak internal processes. Unfortunately the consequences of an accidental disclosure of personal information through a lost laptop or errant email can sometimes be just as damaging as a hack.
It’s easy to focus on headline-grabbing issues, but the truth is that companies should be spending as much time guiding their employees as they do guarding the gates. Employees have more access to data, collaborate more frequently and share information on more devices than ever before. This serves as a centripetal force that has pushed sensitive data out into places where it’s hard for even the most mature companies to control. In addition, today’s younger, fully online (and sometimes remote) workforce has lower informational inhibitions, significantly increasing privacy concerns.
Rest assured, there is a silver lining. Our work also suggests that employees want to do the right thing, but often lack an understanding of the right procedures to follow. So, where should companies start?
Policies should focus on what employees actually do
Given the lack of clear governance, it is no surprise that privacy expectations and responsibilities in corporate policies often overlap as well. In fact, privacy language can appear in as many as 15 common corporate policies.
The truth is that having a structure this complex leaves employees unable to understand what is expected of them. And that’s what they care about. They just want to know how to do their jobs. Realizing this, companies need to create policies that focus on how privacy laws and regulations affect an employee’s day-to-day actions and emphasize tangible activities that employees should take to protect sensitive information. This will not only simplify compliance for employees, but ultimately ensure a better compliance rate.
Don’t treat (or train) every employee the same
Three-fourths of the companies we surveyed report delivering an hour or less of privacy training per year. In addition, half of these companies incorporate their privacy training into another training course. This blanket approach fails to take into account that not every employee creates the same amount of privacy risk. While every employee should have training on how to keep information secure, the truth is that some employees will likely never be exposed to personally identifiable information while others may deal with it on a daily basis. Given the limited appetite (and attention span) that employees have for corporate compliance training, as well as the wide discrepancy of need, companies should focus on providing more comprehensive privacy training to those employees and departments that handle sensitive information.
Build a culture of accountability
Lastly, our benchmarking shows high returns for investing in a culture of accountability for data privacy. Appointing data privacy champions in all divisions, celebrating employees who proactively raise privacy concerns, reinforcing with managers the importance of data privacy protocols, and supporting employee-led data privacy initiatives creates ownership for data privacy across the business, down to the most junior levels. These strong data privacy cultures go furthest in ensuring that, in the moment when a breach happens, it will be caught – hopefully before there is significant damage.
Understanding the root causes of privacy failures has broad implications for how companies manage privacy risks. While it’s important to maintain a strong defense against malicious outsiders, it is equally critical that companies protect themselves from their employees by creating easy-to-understand policies and training. Companies that successfully address this could meaningfully reduce privacy risk and minimize the risk of an inadvertent, but serious, data breach. More often than not, the real threat comes from within.
Talent Matters is a regular column from CEB, a Rosslyn-based corporate research and advisory firm. Jean Martin is CEB’s talent solutions architect. Brian Lee is a compliance and legal practice leader at CEB.