The human factor is the main cause of data leaks in companies. They are the ones that allow employees to leak data when they do not invest in management and control of access to the corporate internet.
Companies that do not invest in data security make life easier for digital scammers. Practically, they ask to be the target of most security incidents .
The situation is so serious that, without management and control of internet access, employees enable data leaks in the company (improper access, unauthorized collection and public disclosure of data), even if inadvertently.
In this way, employees end up unduly exposing personal, sensitive, confidential, biometric, behavioral, confidential, registration or navigation data of colleagues, suppliers and customers.
In fact, the lack of internet access and information security policies in companies is halfway to the unacceptable public disclosure of data .
A full plate for the occurrence of cybercrimes. After all, cybercriminals threaten companies of all sizes 24 hours a day, without rest. Without a doubt, certain harm for companies .
See, a series of tips on what to do and what not to do in relation to data leaks in the company. Most of them have the human factor as a key element .
What not to do against data leakage by employees
# Prove identity through static information
They no longer protect like they used to. Static information invites data leakage, and fraud prevention techniques based on it are becoming outdated and increasingly subject to scams. Like opening an account with fake identities, for example.
# SMS for two-factor authentication
Cell phones are very easy to clone and, therefore, a direct channel for data leaks in the company. The National Institute of Standards and Technology (NIST) , the former The National Bureau of Standards and responsible for the cybersecurity framework (NIST – identify + protect + detect + respond + recover), has already declared that SMS is an unreliable technology as a method security for authentication.
# Password authentication in mobile applications
Passwords and cell phones are insecure. They worsen the user experience. Therefore, it does not use passwords as a user authentication factor and eliminates the risk of data leaks. Furthermore, usability and experience are much better. The tendency is to use other, more secure authentication methods, such as facial or digital recognition, for example.
# Confirm or provide data online
Do not provide or confirm data via telephone or insecure applications (WhatsApp, Telegram and Signa, for example). Even if the applicants appear to be genuine. In fact, especially when they appear to be real, such as banks, the Judiciary, the Public Ministry, large companies, etc. That's where the danger lies. Every employee must be trained to identify this type of risk. Companies must instruct their employees to, in the event of a questionable contact, communicate it to their superior, boss or manager.
# Reply to SMS messages
To prevent data leakage by employees, companies must provide information and knowledge. After all, all employees must be able to recognize risks and identify threats. Therefore, when you receive SMS messages that, for example, report an atypical and recognized operation, the correct action is not to respond! Furthermore, responding already provides data that can confirm personal or business identity.
# Access links in SMS or WhatsApp
No link is reliable if it was received via SMS, free messaging apps (WhatsApp, Telegram and Signal, for example). Especially, in messages like “the prize is yours, just…”, “this notification refers to the fine…”, “see the prohibited photos of the famous person…”. More than certain that these are links that contain viruses and malicious software that can do great damage, such as collecting bank and social network passwords. When the internet is corporate, then the risk of data leakage by employees is extremely high.
# Make payments or transfers of amounts
This guidance is aimed at employees in companies' financial departments. After all, they are the targets of this type of scam. Digital criminals use applications or make phone calls, with the help of previously leaked data and information. They invent stories and situations that are very close to possible reality and abuse the good faith (and lack of training and information) of employees. Thus, with social engineering, they try to dissuade employees from paying or depositing undue amounts. In 100% of companies that do not invest in data security and staff training, the chance of this scam being successful is very high.
What to do about employee data leakage
# Prefer dynamic data over static data
To verify the identity of users, it is always better to use dynamic data than static data. Dynamics, as the name implies, are always changing and are based on people's inconstant behavior. This makes it almost impossible for employees to commit fraud or data leaks. An example of dynamic data is geolocation behavior. Smartphones and smartwatches, for example, have GPS and, when linked to an employee, provide unique information that is difficult to defraud. Anyway, it's just an example, but dynamic data is more reliable and a trend in the management and control of internet access.
# Behavioral biometrics are more secure than passwords
Passwords, as we know and use them today, have their days numbered. However, before leaving the scene, a reliable substitute for the process of identifying, validating and allowing access to the internet, websites or any other user authentication process. Behavioral biometrics is a strong candidate, both to guarantee the security of companies and to make cell phones more useful and secure.
# Liveness detection against data leakage by employees
The year 2021 was the year in which the biggest data leaks occurred in Brazil. In fact, photos were also leaked. Thus, cybercriminals find it very easy to combine these images with civil identification information and falsify documents and perform face-matching (facial recognition based on a static image, in a summarized form), for example. Liveness detection is dynamic, live facial recognition. In other words, this technology detects and validates the faces of living people, via video. Non-functional static images. A very secure “proof of life” and identity.
# Voice recognition
Among the types of biometrics, this is perhaps the least explored. Many services currently rely on electronic or human support, which may rely on passwords or the request for personal information to identify the user, which weakens the authentication process. However, with so much personal information available to fraudsters, it will become an increasingly important and relevant technology.
# Suspicious email
Fake emails usually have real, known senders. Be extra careful when the message ends up in the spam folder. In fact, the ideal is to delete it without opening the email. Even more so because the social engineering technique to deceive and collect data, phishing , is one of the most common. Furthermore, it can cause great losses and compromise data security.
# Alert managers
When an employee identifies or suspects a threat, they must alert their boss as quickly as possible. It must inform the situation and the context in which it was, so that business owners, IT professionals and managers can assess the severity of the threat and act to minimize damage and losses from data leaks by employees.
# Careful and periodic checks
Good management and control practices for internet access and data security indicate careful and periodic checking of companies' sensitive areas, sectors and data. Such as, for example, bank accounts, financial applications, invoices and bills and lists of websites to block , among others. A preventive practice that minimizes risks, damages and losses.
# Monitor your company's data
A good tip is to register and use applications that monitor such as Serasa and Registrato , from the Central Bank (BC), to monitor the status of passwords for emails, applications, banks, financing and social networks. The situation is so serious that, currently, the Registrato has been “suspended” since January 2022. According to the BC: “after an overload of access that caused slowness and took the platform offline, the service was temporarily suspended”. To this day, the question remains: failure or cyber attack. So, regardless of what it was, prevention and protection remain keywords against digital threats.
# More secure passwords
For individuals, this tip is super valid. However, for legal entities, it is even more relevant. Establish policies and protocols to exchange and update passwords for emails, applications, banks, social networks and any other online service. When possible, always prefer authentication and dynamic identity verification. Otherwise, using more secure and random passwords with eight or more characters, including upper and lower case letters, special characters, mathematical operators, accent marks or numbers should be standard company procedure.
# Two-step verification
Activating two-step verification on all products/services that offer this functionality (especially WhatsApp) is a good standard prevention measure. A way to make access difficult and try to prevent data leakage by employees.
# Risk management
The company must invest to be able to identify, quantify and manage risks related to information security. And thus minimize vulnerabilities and losses. Risk management processes must be carried out periodically.
# Awareness and training
Make employees aware, through training, of their obligations and responsibilities related to the processing of personal data. This involves informing and raising awareness of all employees, especially those directly involved in the data processing activity, about the legal obligations existing in the LGPD and in standards and guidelines published by the ANPD .
# Access control
Implement access control, a technical measure to ensure that data is only accessed by authorized people. It consists of authentication, authorization and audit processes. Invest in an access control system applicable to all users, with permission levels in proportion to the need to work with the system and access personal data. This access control system may, for example, allow the creation, approval, review and deletion of user accounts.
# Multi-factor authentication
Use multi-factor authentication (MFA) to access systems or databases that contain personal data. This practice consists of establishing an additional layer of security for the account login process, requiring the user to provide two forms of authentication.
Preventing data leakage by employees is possible
Considering the fact that employees are the gateway to cyber attacks in the company, structuring and implementing the data security and internet access management and control policy is urgent .
A way to minimize the impact of the human factor and prevent the main risks, security breaches, and information security vulnerabilities.
Without a doubt, as relevant as investing in information security solutions, technologies and systems , is training and empowering the team to prevent data leaks by employees.
Preventing data leakage by employees is possible, affordable and simple. Simply adopt prevention measures against cyberattacks and security incidents .
Prevention and information are keywords against security incidents
Being well-informed, learning about data leaks and acting preventively contribute to reducing damage, avoiding losses and preserving your company's reputation .
Internet access management and control processes do not need to be difficult or complex. Investing in solutions to prevent information security incidents is the most affordable and intelligent strategy.
It is essential for your company to act in accordance with legislation ( LGPD ). Also, to preserve privacy rights and personal data security of users/consumers/citizens .
In practice, in addition to prevention , the best solutions on the market productivity and profitability indicators . Just search and compare.
The tips, guidelines and suggestions were researched or reproduced in the following publications:
Guidance from the National Data Protection Authority (ANPD) – Information security for small processing agents (version 1.0, October 2021).
Manual from the Public Ministry of Minas Gerais – Massive data leak – What to do?
Incognia e-book – 2021, the year of the biggest data leaks in Brazil – Survival guide for risk managers .
Subscribe to our newsletter and receive more news and materials.
