An executive at an insurance firm sent out a document that contained confidential information, including employees’ names, email addresses, birthdates, Social Security numbers, employee ID numbers, office locations, and the details of their medical insurance plans. The problem was the email was accidentally sent to an external mailing blast list.
As a result of the incident, the insurance firm had a loss of revenue and the employee was fired. Damage control also included additional time cleaning up what they could of the mess.
This is one incident that is highlighted in a new study by the Business Performance Innovation Network. The study entitled “Getting Control of Document Flow: Exploring Exposure and Risk In Document-Related Data Breaches,” was sponsored by Foxit Software, shows there is a growing need to improve security practices surrounding confidential documents in most organizations today. In a global survey of managers and information workers, six out of every 10 respondents said they or someone they know have accidentally sent out a document they shouldn’t have.
Sure accidents can happen. Maybe the employee is distracted and hits the send button without confirming who is in the to box. But it doesn't make the repercussions any less damaging.
In another example, a marketing firm was editing a document combining their comments with their client edits. The comments were meant for internal eyes only and included some non flattering language about the client. One of the executives accidentally sent out the feedback to the wrong distribution list – which included the client.
Not surprising, the marketing company lost that client almost immediately and that employee was reprimanded, but did not lose their job.
Some 89 percent of survey takers believe document security risks are growing in their organization due to increased connectivity and the proliferation of mobile devices. The accidental sharing of confidential documents with a wrong party is by far their biggest concern.
Among key findings:
- 95 percent of respondents express concerns about the security of documents in their organization.
- 75 percent say their organizations create confidential documents on at least a weekly basis.
- Less than one-third said their company has security solutions that are being effectively used in protecting document security.
- Some 43 percent report that their company does not have widely understood policies for document security of which they are aware.
- Only 16 percent say their organization is “very effective” in stopping the loss or accidental distribution of confidential digital documents.
“Most companies are clearly not doing enough when it comes to protecting the security of high-value information contained in documents,” said Dave Murray, head of thought leadership for the BPI Network. “Our study indicates that a wide range of information that could compromise businesses is vulnerable to inadvertent leaks, as well as intentional theft. Organizations need to do more to set explicit document security policies and educate employees on available tools and best practices in securing the confidential information they handle.”
BPI noted the public incident involving the Red Cross Blood Service, where 550,000 blood donor data was accidentally published to the public. Data included names, gender, address, date of birth as well as information on “at-risk sexual behavior.”
Another incident involved an employee of the Australian Immigration Department who inadvertently shared the passport numbers, visa details and other personal identifiers of all world leaders attending the G20 Brisbane summit to the organizers of the Asian Cup football tournament. Victims included Barack Obama, Vladimir Putin, Angela Merkel, Xi Jinping, Narendra Modi, Shinzo Abe, Joko Widodo and David Cameron and many more.
Accidentally sending a confidential document to the wrong party was by far the biggest area of perceived risk in the study, identified by 61 percent of respondents. Other top concerns were cyber breaches of critical documents (37 percent), intentional leaks by employees (33 percent), and sensitive documents shared without permission by outside partners (31 percent).
Confidential documents are created in a wide range of departments within an enterprise, resulting in numerous types of high-value, at-risk information, according to the report. Survey participants ranked their concern for a wide variety of confidential, at-risk information. Top concerns in ranked order included:
- Financial data
- Employee records
- Legal documents
- Business contracts and agreements
- Trade secrets and intellectual property
- Business, marketing and sales plans