Friday, February 26, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Managing Employee-Driven Privacy Risk

by Brian Lee
June 12, 2017
in Data Privacy, Featured
gold lock on black keyboard

Risk Profiles for Key Employee Groups

It’s becoming an all-too-familiar scenario: a hacker steals an organization’s customer and employee data, creating substantial remediation costs, slowing down the business and generating negative publicity. That said, there is a far more common cause of concern — employee risk. Nearly 60 percent of privacy failures result from an organization’s own employees. Brian Lee and Matt Cantrell have analyzed the privacy risk associated with three major employee groups.

with co-author Matt Cantrell

While hackers and cyberterrorists often make headlines, there is a far more common cause for concern when it comes to safeguarding companies’ confidential data – their employees. Research from CEB, now Gartner, indicates nearly 60 percent of privacy failures result from an organization’s own employees and, worse, over half of employee-driven privacy failures result from intentional behavior.

To reduce the chances of employees creating privacy failures, most organizations first create training and communications focused on the importance of data privacy. But these efforts can prove ineffective, especially if they are created with a one-size-fits-all approach. While privacy awareness is certainly important for all employees, messages on how to reduce privacy risks designed for entry-level employees may not be as applicable to managers, or for that matter, senior executives.

To ensure a privacy program drives the right behaviors among all employees, leaders must tailor risk management strategies to the unique characteristics of different employee groups. But what risks do these groups pose?

Non-Managers

As nonmanagement staff are typically the largest employee group within an organization, they account for a high volume of decisions and behaviors that can have important privacy implications. Despite their lack of seniority, our research finds that these employees often have significant access to confidential information. Specifically:

  • 61 percent can access their company’s proprietary information or trade secrets
  • 21 percent can access financial information about their customers
  • 20 percent can access other employees’ employment information (e.g., salary, employment history)

Given their level of access and number of decisions made, nonmanagers’ data protection habits can generate significant risk exposure. For example, more than four-in-10 employees report frequently leaving confidential data unattended in accessible locations like their desk or the printer tray, and nearly the same number frequently copy or email confidential data to a personal device or account to work at home or on the road.

This behavior exposes organizations to heightened privacy risk — most notably in the form of data breaches. To manage this risk, companies should ensure that all staff who access confidential data know how to safeguard it and why. At a minimum, organizations should launch an enterprisewide privacy awareness campaign that educates employees on appropriate behavior and provides resources to facilitate that behavior.

Additionally, certain groups require special attention because of the high-risk nature of their roles. These groups vary across companies, but common examples are data analytics teams that use customer data and HR teams that have employee information. These groups should receive additional, targeted training and communication that prepares them for risky scenarios specific to their roles.

Managers

In general, managers have more access to confidential data than nonmanagers. This access does not indicate a proportional increase in risk, however, because our research indicates that managers’ personal privacy behaviors are stronger than nonmanagers. Yet managers, given their influence on their teams, still have an outsized impact on an organization’s privacy behaviors.

For better or worse, managers set the standard for privacy behavior, and their teams follow it. Teams legitimize their decisions and prioritize competing interests — such as privacy and business outcomes — per their manager’s instructions and example. Unfortunately, several factors keep managers from emphasizing the right behaviors:

  • Competing Objectives — Managers may fear that diverting employee attention to explain why good privacy behaviors are important could jeopardize business outcomes.
  • Inadequate Preparation — Managers may not fully understand privacy expectations nor how to demonstrate or speak about them.
  • Overwhelming Expectations — In addition to their core job, managers have many additional responsibilities and expectations, making it difficult to remember and prioritize privacy.

As a result of these factors, managers can often fall short. Our data shows only 51 percent of employees say their direct managers clearly explain what is expected with regard to data privacy policies, processes and laws.

To improve managers’ impact on their teams’ privacy behaviors, ensure they receive training — whether through privacy or another function — that focuses on their role in privacy risk management in addition to awareness training. Further, give them talking points, sample communications and other resources to help them engage with their teams. Finally, maintain channels for managers to ask questions and escalate concerns, and make sure managers are aware of these channels.

Senior Executives

Privacy leaders’ typical concern regarding senior executives (defined for these purposes as division head/vice president and above) is often that they do not set a strong tone at the top. This is a legitimate concern, as many employees report weak privacy signals from their leadership. When it comes to confidential information, our data indicates only 36 percent of employees say senior leaders visibly reward and celebrate examples of good privacy behavior, and only about half say senior leaders frequently talk about the importance of following company policies, laws and regulations.

However, an exclusive focus on tone at the top ignores other concerns. While they do influence employees, senior executives themselves should also be considered a high-risk group. Not only can senior leaders access more types of confidential information than lower-level employees, but, surprisingly, they often fail to take adequate measures to protect this information. Our data indicates more than one-third of them sent confidential data to an unauthorized person in the past 12 months and nearly one-quarter would violate privacy policies to get work done.

Senior executives may compromise their personal privacy behaviors because the consequences seem intangible compared to their looming deadlines and pressure to meet business objectives. Real-world examples can help them understand the consequences of privacy-related decisions. Positive examples such as how strong privacy behavior can increase customer loyalty, and negative examples, such as the financial, operational and reputational costs of privacy failures, can demonstrate the effect of privacy behaviors on business outcomes. These positive and negative consequences can also be connected to executives’ behavior and provide opportunities to teach them how to safeguard confidential data in scenarios they are likely to encounter.

All employees with access to confidential data have the potential to cause privacy failures, but they have widely disparate risk profiles and training needs. To protect their organizations, privacy leaders should tailor their risk management strategies to the unique characteristics of each employee group.


Tags: tone at the top
Previous Post

The Kokesh Decision

Next Post

Revenue Recognition, Cybersecurity and PCAOB Inspection Reports Found to be Influencing Forces on Companies’ SOX Compliance Efforts

Brian Lee

Brian Lee is an experienced lawyer and Managing Vice President at Gartner, where he leads research focused on turning compliance and privacy departments into high-performing business units. Gartner is a research and advisory company headquartered in Stamford, Connecticut. Gartner helps business leaders across all major functions in every industry and enterprise size with the objective insights they need to make the right decisions.

Related Posts

woman looking at horizon from mountain top

What’s on the Horizon for Anti-Corruption Enforcement?

February 25, 2021
cannabis leaf on $100 bill

The Intersection of EDD and Banking Cannabis

February 24, 2021
gold cup award on red background with stars

Ethisphere Announces the 2021 World’s Most Ethical Companies

February 23, 2021
illustration of hand holding flashlight illuminating hidden stairs

The Corporate Transparency Act: Pulling Back the Veil

February 23, 2021
Next Post
Revenue Recognition, Cybersecurity and PCAOB Inspection Reports Found to be Influencing Forces on Companies’ SOX Compliance Efforts

Revenue Recognition, Cybersecurity and PCAOB Inspection Reports Found to be Influencing Forces on Companies’ SOX Compliance Efforts

Access realtime data
Addressing systemic racism in the workplace SAI Global
Dynamic Risk Assessments with Workiva
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights