The human factor is the main cause of data breaches in companies. Companies allow data leaks by employees when they fail to invest in managing and controlling access to the corporate internet.
Companies that don't invest in data security make life easier for cybercriminals. Essentially, they're asking to be the target of most security incidents .
The situation is so serious that, without management and control of internet access, employees enable data leaks within the company (unauthorized access, unauthorized collection, and public disclosure of data), even inadvertently.
In this way, employees end up improperly exposing personal, sensitive, confidential, biometric, behavioral, or browsing data of colleagues, suppliers, and clients.
In fact, the lack of internet access and information security policies in companies is a significant step towards the unacceptable public disclosure of data .
A perfect breeding ground for cybercrimes. After all, cybercriminals threaten companies of all sizes 24 hours a day, without rest. Undoubtedly, this is a sure way to cause losses for businesses .
Here's a series of tips on what to do and what not to do regarding data leaks in your company. Many of them focus on the human factor as a key element .
What not to do to prevent employee data leaks
# Verify identity using static information
They no longer protect as they once did. Static information is an invitation to data leaks, and fraud prevention techniques based on it are becoming outdated and increasingly susceptible to scams. Such as opening accounts with false identities, for example.
# SMS for two-factor authentication
Cell phones are very easy to clone and, therefore, a direct channel for data leaks within a company. The National Institute of Standards and Technology (NIST) , formerly the National Bureau of Standards and responsible for the cybersecurity framework (NIST – identify + protect + detect + respond + recover), has already stated that SMS is an unreliable technology as a security method for authentication.
# Password authentication in mobile applications
Passwords and cell phones are insecure. They worsen the user experience. Therefore, not using passwords as a user authentication factor eliminates the risk of data leaks. Furthermore, usability and user experience become much better. The trend is to use other more secure authentication methods, such as facial or fingerprint recognition, for example.
# Confirm or provide data online
Do not provide or confirm information over the phone or through unsecured apps (such as WhatsApp, Telegram, and Signa), even if the requesters seem genuine. In fact, especially when they appear to be real, like banks, the judiciary, the public prosecutor's office, large companies, etc. That's where the danger lies. Every employee should be trained to identify this type of risk. Companies should instruct their employees to report suspicious contact to their superior, boss, or manager.
# Reply to SMS messages
To prevent data leaks by employees, companies must provide information and knowledge. After all, all employees should be able to recognize risks and identify threats. Thus, when receiving SMS messages that, for example, inform them of an atypical and known operation, the correct action is not to reply! Furthermore, replying already provides data that can confirm personal or business identity.
# Accessing links in SMS or WhatsApp
No link is trustworthy if received via SMS or free messaging apps (such as WhatsApp, Telegram, and Signal). This is especially true for messages like "the prize is yours, just...", "this notification refers to the fine...", "see the forbidden photos of the celebrity...". These links almost certainly contain viruses and malicious software that can cause significant damage, such as collecting bank and social media passwords. When the internet is used in a corporate setting, the risk of data leaks by employees is extremely high.
# Make payments or transfer funds
This guidance is aimed at employees in the finance departments of companies. After all, they are the targets of this type of scam. Cybercriminals use apps or make phone calls, aided by previously leaked data and information. They invent stories and situations very close to reality and abuse the good faith (and lack of training and information) of employees. Thus, using social engineering, they try to dissuade employees from paying or depositing undue amounts. In 100% of companies that do not invest in data security and staff training, the chance of this scam succeeding is very high.
What to do about employee data leaks
Prefer dynamic data to static data
To verify user identity, it's always better to use dynamic data than static data. Dynamic data, as the name suggests, is constantly changing and is based on the ever-changing behavior of people. This makes fraud or data leaks by employees almost impossible. An example of dynamic data is geolocation behavior. Smartphones and smartwatches, for example, have GPS and, when linked to an employee, provide unique information that is difficult to falsify. In short, this is just one example, but dynamic data is more reliable and a growing trend in managing and controlling internet access.
Behavioral biometrics are more secure than passwords
Passwords, as we know and use them today, are numbered. However, before they disappear, a reliable substitute for the process of identifying, validating, and granting access to the internet, websites, or any other user authentication process is emerging. Behavioral biometrics is a strong candidate, both for ensuring the security of companies and for making mobile devices more useful and secure.
Liveness detection against employee data leaks
2021 was the year with the largest data breaches in Brazil. This included leaked photos. Cybercriminals can easily combine these images with personal identification information to forge documents and perform face-matching (facial recognition from a static image, in short), for example. Liveness detection, on the other hand, is dynamic facial recognition. That is, this technology detects and validates the faces of living people via video. Static images are not functional. It's a very secure "proof of life" and identity verification.
# Voice recognition
Among the types of biometrics, this is perhaps the least explored. Many services currently rely on electronic or human assistance, which may involve passwords or requests for personal information to identify the user, weakening the authentication process. However, with so much personal information available to fraudsters, it will become an increasingly important and relevant technology.
# Suspicious email
Fake emails usually come from real and known senders. Be extra careful when the message goes straight to your spam folder. Ideally, delete the email without opening it. This is phishing , a social engineering technique used to deceive and collect data, is very common. Furthermore, it can cause significant losses and compromise data security.
# Alerting managers
When an employee identifies or suspects a threat, they should alert their supervisor as quickly as possible. They should describe the situation and the context in which they were so that business owners, IT professionals, and managers can assess the severity of the threat and act to minimize damage and losses from employee data breaches.
# Careful and periodic checks
Good practices for managing and controlling internet access and data security indicate the need for careful and periodic verification of sensitive areas, sectors, and company data. This includes, for example, bank accounts, financial investments, invoices and bills, and lists of websites to block , among others. It's a preventative practice that minimizes risks, damages, and losses.
# Monitor your company's data
Serasa 's alert services and Registrato , from the Central Bank (BC), to monitor the status of passwords for emails, apps, banks, financing, and social networks. The situation is so serious that Registrato has been "suspended" since January 2022. According to the BC: "after an overload of accesses that caused slowness and took the platform offline, the service was temporarily suspended." To this day, the question remains: failure or cyberattack? So, regardless of what it was, prevention and protection continue to be key words against digital threats.
# More secure passwords
For individuals, this tip is extremely valuable. However, for businesses, it's even more relevant. Establish policies and protocols for changing and updating passwords for emails, apps, banks, social networks, and any other online service. Whenever possible, always prefer dynamic authentication and identity verification. Otherwise, using stronger, random passwords with eight or more characters, including uppercase and lowercase letters, special characters, mathematical operators, accents, or numbers should be standard procedure in the company.
Two-step verification
Enabling two-step verification on all products/services that offer this feature (especially WhatsApp) is a good standard preventative measure. It's a way to make access more difficult and try to prevent data leaks by employees.
Risk Management
The company must invest in being able to identify, quantify, and manage risks related to information security, thus minimizing vulnerabilities and losses. Risk management processes should be carried out periodically.
# Awareness and training
To raise employee awareness, through training, about their obligations and responsibilities related to the processing of personal data. This implies informing and sensitizing all employees, especially those directly involved in data processing activities, about the legal obligations existing in the LGPD and in rules and guidelines issued by the ANPD ( ).
Access control
Implement access control, a technical measure to ensure that data is accessed only by authorized individuals. It consists of authentication, authorization, and auditing processes. Invest in an access control system applicable to all users, with permission levels proportional to the need to work with the system and access personal data. This access control system can, for example, allow the creation, approval, review, and deletion of user accounts.
Multifactor authentication
Using multifactor authentication (MFA) to access systems or databases containing personal data. This practice involves establishing an additional layer of security for the account login process, requiring the user to provide two forms of authentication.
Preventing data leaks by employees is possible
Given that employees are the gateway for cyberattacks in the company, structuring and implementing a data security policy and managing and controlling internet access is urgent .
One way to minimize the impact of the human factor and prevent major risks, security breaches, and vulnerabilities in information security.
Undoubtedly, just as important as investing in information security solutions, technologies, and systems is training and empowering the team to prevent data leaks by employees.
Preventing data leaks by employees is possible, accessible, and simple. It's simply a matter of adopting preventative measures against cyberattacks and security incidents .
Prevention and information are key words against security incidents
Being well-informed, learning about data breaches, and acting proactively all contribute to reducing damage, avoiding losses , and preserving your company's reputation .
Managing and controlling internet access doesn't have to be difficult or complex. Investing in solutions to prevent information security incidents is the most accessible and intelligent strategy.
It is essential for your company to act in accordance with the law ( LGPD ). This is also necessary to preserve the privacy and security rights of users'/consumers'/citizens' personal data .
In practice, in addition to prevention , the best solutions on the market productivity and profitability indicators . Just do some research and compare.
The tips, guidelines, and suggestions were researched or reproduced from the following publications:
Guidance Guide from the National Data Protection Authority (ANPD) – Information security for small data processing agents (version 1.0, October 2021).
Guide from the Public Prosecutor's Office of Minas Gerais – Massive data leak – What to do?
Incognia 's E-book – 2021, the year of the biggest data breaches in Brazil – A survival guide for risk managers .
Subscribe to our newsletter and receive more news and materials.
