The human factor is the main cause of data leakage in companies. These are the ones that allow the leakage of data by employees when they do not invest in management and control of corporate internet access.
Companies that do not invest in data security make life easier for digital scammers. practically asking to be the target of most security incidents .
The situation is so serious that, without management and control of internet access, employees enable data leakage in the company (improper access, unauthorized collection and public data disclosure), even if inadvertently.
Thus, employees unduly expose personal, sensitive, sensitive, biometric, behavioral, confidential, registration or navigation of colleagues, suppliers and customers.
In fact, the lack of internet access and information security policies in companies is halfway to the unacceptable public disclosure of data .
A plate full for cyber crimes. After all, cybercriminals threaten companies of all sizes 24 hours without rest. Undoubtedly, the right damage to companies .
See, a series of tips on what to do and what not to do about the data leakage in the company. Most of them have the human factor as a key element .
What not to do against data leakage by employees
# Prove identity through static information
They no longer protect as before. Static information is an invitation to the data leakage and fraud prevention techniques based on them are getting outdated and increasingly subject to blows. As the opening account with false identities, for example.
# SMS for authentication of two factors
The phone is very easy to cloned and therefore a direct channel for the data leakage in the company. The National Institute of Standards and Technology (NIST) , the former The National Bureau of Standards and responsible for the cybersecurity framework (NIST - Identify + Protect + Detect + Reply + Recover), has already stated that SMS is a reliable technology as a security method for authentication.
# Password Authentication in Mobile Applications
Passwords and cell phones are insecure. They make the user experience worse. Therefore, it does not use passwords as a user authentication factor and eliminates the risk of data leakage. In addition, usability and experience are much better. The tendency is to use other safer authentication methods, such as facial or digital recognition, for example.
# Confirm or provide online data
Do not provide or confirm data by telephone or non -secure applications (WhatsApp, Telegram and Signa, for example). Even if the applicants seem to be true. In fact, especially when they seem to be real, such as banks, judiciary, prosecutor, large companies, etc. That's where the danger lives. Every employee must be trained to identify this type of risk. Companies must instruct their employees to, in the case of doubtful contact, communicate to their superior, boss, manager.
# Reply SMS Messages
To avoid data leakage by employees, companies must provide information and knowledge. After all, all employees should be able to recognize risks and identify threats. Thus, when they receive SMS messages that, for example, inform an atypical and recognized operation, the correct action is not to answer! In addition, responding already provides data that can confirm personal or business identity.
# Access SMS or WhatsApp links
No links are reliable if it was received via SMS, free messaging applications (WhatsApp, Telegram and Signal, for example). Especially in messages like “the prize is yours, just…”, “this notification refers to the fine…”, “See the prohibited photos of the famous…”. More than certain that they are links that contain viruses and malicious software that can do great damage, such as collecting bank and social networking passwords. When the internet is corporate, then, the risk of data leakage by employees is very high.
# Make payments or transfers of values
This guidance is aimed at employees of the financial departments of the companies. After all, they are the targets of this type of scam. Digital criminals use applications or make phone calls, with the aid of previously leaked data and information. They invent stories and situations very close to the possible reality and abuse good faith (and lack of training and information) of employees. Thus, with social engineering, they try to dissuade employees to pay or deposit improper amounts. In 100% of companies that do not invest in data security and personnel training, the chance of this scam is very large.
What to do against data leakage by employees
# Prefer dynamic data to static data
To verify the identity of users, it is always better to use dynamic data than static data. The dynamics, as the name already implies, are always changing and are based on the fickle behavior of people. This is almost impossible to occur fraud or data leakage by employees. An example of dynamic data is geolocation behavior. Smartphones and smartwatches, for example, have GPS and, when linked to an employee, provides unique and difficult information to be fraudulent. Anyway, it's just an example, but dynamic data is more reliable and a trend in the management and control of internet access.
# Behavioral Biometrics is safer than passwords
Passwords, as we know them today and use them, have their days numbered. However, before leaving the scene, a reliable substitute for the process of identifying, validating and allowing access to the internet, websites or any other user authentication process. Behavioral biometrics is a strong candidate, both to ensure business safety and to make mobile phones more useful and safe.
# Liveness Detection against Employee Data Leakage
The year 2021 was the year in which the highest data leaks occurred in Brazil. Even photos were also leaked. Thus, cybercriminals are very ease of gathering these images with civil identification information and falsifying documents and making face-to-face (faculty from static image in a brief manner), for example. Liveness detection, on the other hand, is live, live facial recognition. That is, this technology detects and validates the face of living people by video. Non -functional static images. A “proof of life” and very safe identity.
# Voice recognition
Among the types of biometrics, this is perhaps the least explored. Many services currently have electronic or human service, which can count on passwords or the request for personal information for user identification, which weakens the authentication process. But with so many personal information available to fraudsters, it will become an increasingly important and relevant technology.
# Suspected E-mail
False emails, usually have real and known senders. Watch out when the message falls straight into the spam box. By the way, the ideal is to delete without opening the email. Especially because social engineering technique to deceive and collect data, phishing , is one of the most common. In addition, it can cause major damage and compromise data security.
# Alert the managers
When the employee identifies or suspects a threat, he should alert his boss as soon as possible. You should inform the situation and context in which it was, so that entrepreneurs, IT professionals and managers can evaluate the severity of the threat and act to minimize damage and loss of data leakage by employees.
# Attentive and periodic checks
Good practice management and control practices of internet access and data security indicate the attentive and periodic verification of areas, sectors and sensitive data from companies. Such as bank accounts, financial investments, invoices and accounts and websites to block , among others. A preventive practice that minimizes risks, damage and damage.
# Monitor your company data
Serasa 's warning services and the register to monitor the situation of email passwords, applications, banks, financing and social networks. The situation is so serious that the record is currently "suspended" since January 2022. According to the BC: "After an aircraft overload that caused slowness and took the air platform, the service was temporarily suspended." To this day the doubt remains: failure or cyber attack. So regardless of what it was, prevention and protection remain keywords against digital threats.
# Safe passwords
For individuals, this tip is super valid. However, for legal entities, it is even more relevant. Establish policies and protocols to exchange and update email passwords, applications, banks, social networks and any other online service. When possible, always prefer authentication and verification of dynamic identity. Otherwise, use safer and more random passwords, with eight or more characters, including upper and lowercase letters, special characters, mathematical operators, accent signs or numbers should be a standard procedure in the company.
# Verification in two steps
Activate verification in two steps, in all products/services available this functionality (especially WhatsApp) is a good standard prevention measure. A way to hinder access and try to prevent data leakage by employees.
# Risk Management
The company must invest to be able to identify, quantify and manage the risks related to information security. And thus minimize vulnerabilities and losses. Risk management processes should be performed periodically.
# Awareness and training
Awareness employees, through training, about their obligations and responsibilities related to personal data processing. This implies informing and sensitizing all employees, especially those directly involved in the data processing activity, on the legal obligations in LGPD and in the rules and guidelines issued by the ANPD .
# Access Control
Implement access control, a technical measure to ensure that data is accessed only by authorized persons. It consists of authentication, authorization and audit processes. Invest in access control system applicable to all users, with permission levels in proportion to the need to work with the system and to access personal data. This access control system can, for example, allow the creation, approval, revision and delete of users' accounts.
# Multifator Authentication
Use Multifator Authentication (MFA) to access systems or database that contains personal data. This practice consists of establishing an additional security layer for the account login process, requiring the user to provide two forms of authentication.
Avoiding data leakage by employees is possible
Given the fact that employees are the gateway to cyber attacks in the company, structuring and implementing the data security and management and control control policy is urgent .
A way to minimize the impact of the human factor and prevent the main risks, security breaches, information security vulnerabilities.
Undoubtedly, as relevant as investing in solutions, technologies and information security systems , is to train and train the team to avoid data leakage by employees.
Avoiding data leakage by employees is possible, accessible and simple. Just adopt cybercreation prevention measures and safety incidents .
Prevention and information are keywords against security incidents
Being well-informed, learning about data leakage and acting preventively contributes to reducing damage, avoiding damage and preserving your company's reputation .
Internet access management and control processes do not need to be difficult or complex. Investing in solutions to prevent information security incidents is the most accessible and intelligent strategy.
It is essential for your company to act in accordance with the legislation ( LGPD ). Also, to preserve privacy rights and personal data security of users/consumers/citizens .
In practice, in addition to prevention , the best solutions in the market productivity and profitability indicators . Just search and compare.
The tips, guidelines and suggestions were researched or reproduced in the following publications:
Orientative Guide to the National Data Protection Authority (ANPD) - Information Security for Small Treatment Agents (version 1.0, October 2021).
Minas Gerais Public Prosecution Service - Massive Data Leakage - What to do?
Incognia e-book - 2021, the year of the largest data leaks in Brazil-survival guide for risk managers .
Subscribe to our newsletter and receive more news and materials.
