Nearly a quarter of employees are unsure whether the information they are handling should be kept confidential or not. In a survey conducted by KnowBe4 Research, it was found that 24% of almost 410 thousand respondents worldwide across all employees from various organisations, had indicated their uncertainty on the confidentiality status of the information they work with.
This suggests that information that ought not to be shared with others outside the organisation risks leaking out – without the employees even being aware of the hazard.
“Managers have a responsibility to train their staff to treat the information they are working with in a good way. That as many as a quarter of employees are unsure about this indicates a considerable failing in many companies,” said Research Director Kai Roer.
Should confidential information fall into the wrong hands, it could harm the company in a variety of ways. Some information could be market sensitive, some could impact the organisation’s reputation or breach data privacy regulations, while leaked log-in information could give cyber criminals access to business-critical internal systems.
The sectors most at risk
The research also revealed that the construction, education, transport and retail sectors are most at risk of mishandling of information.
Approximately 34-35% of those in the aforementioned industries indicated their uncertainty about the status of the information they are working with. On the other hand, only 16% of those in the banking and finance sectors responded the same.
“We also see the same tendency in the annual security culture report. Sectors like banking and finance are, on the whole, more used to dealing with confidential information and probably have better routines and procedures for this,” said Roer.
“We see a clear link between the various aspects of security culture. The organisations that do well in one area, generally also do well in other areas. Unfortunately, IT security is equally important for everyone, regardless of business sector. This has been demonstrated by a series of cyber attacks in Norway over the past year.”
Many organisations include non-disclosure agreements, specifying what can and cannot be shared, in their employees’ employment contracts.
“These figures indicate that the issue has generally not been properly explained to or followed up with employees. When someone starts a new job, they are given access to a lot of information,” said Roer.
“It is the manager’s responsibility to follow up and ensure that their employees are confident in their role and know how to handle the information they encounter. It is equally important to ensure that employees handle confidential information correctly as time goes on. It is not enough just to provide training when people join the organisation.”
Organisations would need to consistently follow-up and train its employees in the practice of IT security to refresh their awareness and keep them up to date with the latest developments.
“Cyber criminals are working constantly to develop more cunning methods of attack. In addition, things can happen within the company to change the situation, which employees must be made aware of,” concluded Roer.