Despite the growing numbers of vulnerabilities, malware, and hacking groups, your employees may be your greatest security risk. The good news is that by improving data literacy throughout your organization, you can reduce your risk substantially. Data classification training is one of the best ways to help your employees improve your company’s security as it helps them understand what data most needs protection.
Employees Can Be a Major Data Security Threat
Do you trust your employees? You really shouldn’t, in the most benevolent way possible. The latest study on human error in data breaches found that 88% of breaches were caused in some way by employees. On the bright side, only around 14% of breaches were caused by malicious employees, leaving the vast majority accidental or unintentional.
The issue is often not carelessness, but rather it is often a combination of insufficient training, fear of disclosing mistakes, and poor security practices, among other factors. Many recent phishing emails, for example, succeeded not because the employees were duped into clicking a link to a cat video but because they impersonated a high-ranking person in the company. The employees responded to the email because they believed it was legitimate.
Although something like this is a minor mistake, it can have significant consequences to your security. Employees typically have access to an organization’s most sensitive and valuable data. This is necessary to do their jobs; unfortunately, it is also a very useful attack vector. Many other cases of breaches caused by employees have occurred because of attacks on employee credentials. One example of this was Cisco’s breach in 2022, which was caused by an attacker accessing an employee’s Google account, which contained saved Cisco credentials.
Data Literacy Improves Data Security
While it’s not possible to completely eliminate security risks (to err is human, after all), by improving employee data literacy, you can reduce the likelihood that someone in your organization will fall prey to an attack. One of the first things an employee should learn is proper data classification. This will prevent saving data in a folder or other location that is not sufficiently secure, and by directing all files to their correct places, data visibility is naturally improved.
Learning the correct classifications means that employees understand what the data is, what it is used for, and how sensitive or personally identifying it is. Once this is clear, the employee will then know how best to categorize and store the data based on sensitivity. For example, to comply with HIPAA, protected health information (PHI) must be encrypted. Employees should know what qualifies as PHI first, and then they should store it in an appropriately encrypted storage space.
Threat awareness is also important for data literacy. Attackers are constantly looking for ways to exploit your vulnerabilities, so employees need to be kept updated about the latest phishing attacks and how to identify them, the importance of never approving an MFA request when they are not actively logging in, and the best ways to practice good security hygiene. Returning to the Cisco example, employees should not use their personal Google accounts to sign in to business platforms, and it’s generally not best practice to store their passwords in the browser.
Supporting Data Literacy Efforts
Although threat awareness is relatively simple to grasp, data classification can be more difficult due to varying regulations and the nuances of the data themselves. Some organizations use vague labels that don’t always make sense to users. Security experts recommend using clear categories for data; however, these categories should be more specific than high, medium, or low-sensitivity. Instead, consider confidential, internal-use only, and public categories; or similarly self-explanatory categories that are relevant to your organization.
Data literacy and understanding appropriate classification can help employees sort the data correctly, but if they make a mistake, the system can also help mitigate the risk to your security environment by flagging an incorrectly classified file or folder. Learning to label data according to its sensitivity and importance to the organization is essential, but even a well-trained employee will err from time to time.
Data classification solutions provide automated data discovery that will alert you to misplaced data. A good solution will also provide threat evaluation and data encryption, monitor employee access and unused privileges, and analyze user behavior to quickly detect unusual activities that could indicate a breach.
Ultimately, employees who receive proper training and who improve their data literacy are far less likely to contribute to or cause a data breach. Teaching employees good security practices and proper data classification protocols will go a long way towards keeping your data secure, but if there is a breach, you can be confident that the damage will be manageable. If data are classified correctly, the most crucial and sensitive data will be encrypted and protected from attack. If you also implement data classification solutions, you add attack discovery speed and failsafes to your security environment.