The theme for week three according to the United States Department of Homeland Security focuses on the following:
Education: Highlighting the importance of cyber education and workforce development, including the advancement and opportunities in Science, Technology, Engineering, and Math (STEM) education.
Cyber Awareness should be a priority for everyone in their business and personal lives. Cyberattacks and cybercrime are on the rise with ransomware and phishing schemes targeting us as we interact with each other online and targeted attacked toward businesses resulting in loss of intellectual property, reputation, or perhaps most distressing of all information about us (social security numbers, credit card numbers, etc.).
However, cyber awareness is not limited to protecting against cyber attacks. Cyber awareness also means protecting ourselves and the companies we work for from our well-meaning actions. We must educate ourselves on what’s safe and what’s risky when it comes to storing data or transferring information. It’s all too easy to use cloud-based applications such as Dropbox™, Google Drive™, and Adobe Creative Cloud™. Data flows freely on these networks, with security depending solely on the vendor in most cases. The use of these applications for business purposes is particularly worrisome – the 2013 state of cloud application access survey by identity management firm OneLogin found that seven out of ten organizations are running cloud applications not officially sanctioned by their IT departments.
We also email company data to our personal email accounts or devices. According to a recent survey by the Ponemon Institute, an independent data privacy research firm, employees are moving IP outside the company in all directions. Over half admit to emailing business documents from their workplace to their personal email accounts, and 41 percent say they do it at least once a week. Forty-one percent also say they download IP to their personally-owned tablets or smartphones. These activities expose potentially sensitive data to greater risk of compromise than leaving it on the company-owned device, but we take it one step further by not cleaning it up after we use it.
Most of us are not malicious insiders, but well-meaning employees. Even as we change companies and take some of the documents, applications, or data that we’ve developed we don’t see it as wrong. Half of the survey respondents say they have taken information, and 40 percent say they will use it in their new jobs. This means precious intelligence is also falling into the hands of competitors, causing damage to the losing company and adding risk to the unwitting receiving company.
The best course of action is to educate employees:
- Organizations need to let their employees know that taking confidential information is wrong. Employee training and awareness is critical – companies should take steps to ensure that IP theft awareness is a regular and integral part of security awareness training. Create and enforce policies that provide the do's and don'ts of information use in the workplace and when working remotely. Help employees understand that sensitive information should remain on corporate-owned devices and databases. Make it clear that new employees are not to bring IP from a former employee to your company.
- Enforce non-disclosure agreements (NDAs): Include stronger, more specific language in employment agreements and ensure exit interviews include focused conversations around employees' continued responsibility to protect confidential information and return all company information and property (wherever stored).
- Be thoughtful in what you post to your social sites: Social engineering and trawling social sites are becoming the best ways cybercriminals have for gathering information about us for targeted attacks or to gain access to our devices (either home or at work).
- Educate users about how to use their privacy and permission settings and the risks of downloading rogue applications.
What’s Yours is Mine Infographic – How Employees are Putting Your Intellectual Property at Risk.