Are you still relying on people signing confidentiality agreements when they’re hired, and on their goodwill when they leave? If you are, you could be in for a rude shock: in a survey earlier this year, almost half the people asked had either not signed a confidentiality agreement or had forgotten doing so.
Similarly, most of those surveyed had not been asked to return or delete company data in their possession when leaving their last job, despite this being a pretty effective way to cut the leakage of intellectual property.
Worse, the survey was of attendees at Microsoft TechEd, so these weren’t your average office drones — they were the kind of people who ought to know a confidentiality or non-disclosure agreement (NDA) when they see one.
Although new hires are typically asked to sign NDAs of some sort, it’s likely the problem is two-fold. First, it is not made clear enough what you’re actually agreeing to when you sign, and second, the effect is not restated or renewed later in the worker’s career.
The survey (results available online here) was done by data governance specialist Varonis Systems. It reckons that properly communicating NDAs to staff can significantly reduce the number of people who upload sensitive company data to personal cloud storage accounts.
It’s probably right. Most people who upload work stuff to Dropbox, Google, iCloud or Skydrive do so because it makes it easier for them to get their jobs done, not for any malicious or selfish reasons. They do it because the company makes them jump through hoops to achieve the same thing within the rules, or blocks it altogether for reasons of fear, uncertainly, doubt, and general control freakery. (Is there anyone out there who’s never encountered a Mordac, the Preventer of Information Services, as in the Dilbert cartoons?)
One other way to reduce the risk of accidental information leakage — deliberate leakage is another matter — is, of course, to make it easier for staff to work within the rules. The trouble is, as Gartner’s Monica Basso wrote* earlier this year, “While personal cloud services are proliferating at work, many IT organizations are still either not aware or in denial mode.”
That means no more self-discrediting and ineffective blanket bans on sharing. Instead, organizations need to engage with data governance to understand what can and can’t safely be shared — and convince their people to take the result seriously.
Then it means providing staff with enterprise-grade cloud storage via a provider such as Box, SpiderOak, or TeamDrive. Only once that is in place can you realistically think of using data leakage prevention tools to detect and block the use of insecure consumer-grade file sharing services. And if there is data that you are unwilling to trust even to an encrypted hosting service, have a look at technologies that allow you to share files directly from on-premise storage, such as Egnyte’s Storage Connect.
It also means figuring out ways to enable safer BYOD, whether it be a sandboxed company app or container, a remote desktop, management tools enabling selective data wipes, geo-fencing, policy enforcement, or any combination of the foregoing.
Lastly, not only must you have practical and appropriate NDAs and guidelines in place, but you must also reinforce and refresh these from time to time with training classes, newsletters and other ways to communicate the risks and explain the solutions. This won’t remove all your information leakage risks and problems, but it should go a long way towards lessening them. Better yet, it should let you focus on the potential villains, with less distraction from the merely curious and careless.
*Gartner Research – Hype Cycle for Wireless Devices, Software and Services, 2013; by Gartner Research Vice President Monica Basso; published July 31, 2013