Control 17.8: Train Workforce on Causes of Unintentional Data Exposure

Train workforce members to be aware of causes for unintentional data exposures, such as losing their mobile devices or emailing the wrong person due to autocomplete in email.

Category

Procedural

Purpose

People play a huge role in preventing data breaches, often more critical than any technological solution. Employees must be regularly exposed to and reminded of causes of data exposure and data breaches. The following is a non-exhaustive list:

• Loss of device with sensitive information;
• Leaving sensitive information in an insecure area;
• Downloading sensitive information to temporary or download folders which are not secure;
• Sending sensitive information over insecure communication channels (e.g., unencrypted email, text messages);
• Sending sensitive information to the wrong recipient;
• Insufficiently reviewing newly created data for its proper sensitivity level;
• Assigning permissions to sensitive information to the wrong person;
• Improperly segmenting data based on need to know; and
• Improperly setting access controls on sensitive data.

Automation

This Sub-Control is generally not automatable. Network appliances can be put into place such as a firewall, data loss prevention, intrusion detection system, or an endpoint protection suite (e.g., antivirus) to prevent data exposure. Third-party organizations offer platforms that can help to train users to recognize the symptoms of accidental and unintentional ways to affect the security of an organization.

Guidance and Tools

It is important regularly training workforce members, but not overwhelm them. Do not expect them to be cybersecurity experts. The key is identifying key events and continuing to remind them to report any and all suspicious happenings, even if they are unsure. By regularly reminding employees of accidental causes of data breaches, they will be more mindful and can understand the risks associated with their actions.