Lale Çorumlu

Are you sure your employees act responsibly when dealing with personally identifiable information?

Many parts of the world now have local laws governing the processing and storage of personally identifiable information (PII). These laws are a supplement to the GDPR (General Data Protection Regulation) that any company that uses data from EU residents in any way must comply.

Large businesses have relatively clear strategies for complying with all these laws and regulations. Generally, they entrust an employee — a data protection officer (DPO) — with responsibility for ensuring compliance with rules regarding the processing of personal data and devote large budgets to the development of internal regulations and the conduct of regular audits. But a lack of resources can strain small businesses to comply with these laws.

Human factor

The problem mostly concerns employees who are not as careful as they should be about personal data belonging to others. This carelessness can result in unintentional leaks.

Let's consider a common scenario: Employees who scan PII documents containing personal data on a daily basis and store them in a common area. From their perspective, what they're doing is simply uploading data to the company's OneDrive or SharePoint directories. Obviously, while what they're doing doesn't generate any leaks, they make the data accessible to co-workers who are not properly trained to work with this type of information and therefore shouldn't have access to it.

The problem is not that these co-workers will necessarily cause a data leak to occur. However, thinking that they do not have access to any overly critical or confidential information, they may occasionally accidentally leave their business laptops unattended. In addition, after the business experiences an unrelated data leak incident, there could be a surprise audit of its data processing and storage practices — potentially hefty fines for allowing extensive employee access to customers' or employees' personal data.

How to minimize the risk of personal data being stored in public access folders?

The simplest way to keep personal data out of public access folders is to monitor whether employees use collaboration tools to transmit such data. In other words, you need to know exactly what employees are sharing, where they store information, and whether they're sharing links with anyone outside the business. In theory, not all businesses have the resources to devote to a single DLP solution, although you would need a separate DLP solution to do this. However, there is an alternative to this.

The Data Discovery feature in our latest [KES Cloud placeholder]Kaspersky Endpoint Security Cloud[/KES Cloud placeholder] solution is a great option for any business that uses Microsoft 365 services for collaboration. Data Discovery detects files containing PII or bank card data, clearly indicates its location, and provides additional context for these files regardless of whether the information is stored in a structured or unstructured way.

Although this feature currently only works with German, Italian and American document formats, we continue to improve the feature. We hope that the product will also detect documents from other countries in the near future.

Audit of alternative collaboration tools

We understand that employees can sometimes go further and upload important corporate information to third-party cloud services. In other words, they may be storing data in places and by means that the IT security unit does not control.

That's why we recommend that you start by making it clear to your employees that they should not use third-party cloud services for confidential or sensitive data. Then monitor all cloud service usage by employees and block as needed. Here another feature of Kaspersky Endpoint Security Cloud —Cloud Discovery—can help you.

Cloud Discovery and Data Discovery features complement the standard protection mechanisms of our solution. Thus, it not only protects companies from external cyber threats, but also facilitates compliance with personal data protection laws and regulations.