Managing Employee-Driven Privacy Risk

Risk Profiles for Key Employee Groups

It’s becoming an all-too-familiar scenario: a hacker steals an organization’s customer and employee data, creating substantial remediation costs, slowing down the business and generating negative publicity. That said, there is a far more common cause of concern — employee risk. Nearly 60 percent of privacy failures result from an organization’s own employees. Brian Lee and Matt Cantrell have analyzed the privacy risk associated with three major employee groups.

with co-author Matt Cantrell

While hackers and cyberterrorists often make headlines, there is a far more common cause for concern when it comes to safeguarding companies’ confidential data – their employees. Research from CEB, now Gartner, indicates nearly 60 percent of privacy failures result from an organization’s own employees and, worse, over half of employee-driven privacy failures result from intentional behavior.

To reduce the chances of employees creating privacy failures, most organizations first create training and communications focused on the importance of data privacy. But these efforts can prove ineffective, especially if they are created with a one-size-fits-all approach. While privacy awareness is certainly important for all employees, messages on how to reduce privacy risks designed for entry-level employees may not be as applicable to managers, or for that matter, senior executives.

To ensure a privacy program drives the right behaviors among all employees, leaders must tailor risk management strategies to the unique characteristics of different employee groups. But what risks do these groups pose?

Non-Managers

As nonmanagement staff are typically the largest employee group within an organization, they account for a high volume of decisions and behaviors that can have important privacy implications. Despite their lack of seniority, our research finds that these employees often have significant access to confidential information. Specifically:

• 61 percent can access their company’s proprietary information or trade secrets
• 21 percent can access financial information about their customers
• 20 percent can access other employees’ employment information (e.g., salary, employment history)

Given their level of access and number of decisions made, nonmanagers’ data protection habits can generate significant risk exposure. For example, more than four-in-10 employees report frequently leaving confidential data unattended in accessible locations like their desk or the printer tray, and nearly the same number frequently copy or email confidential data to a personal device or account to work at home or on the road.

This behavior exposes organizations to heightened privacy risk — most notably in the form of data breaches. To manage this risk, companies should ensure that all staff who access confidential data know how to safeguard it and why. At a minimum, organizations should launch an enterprisewide privacy awareness campaign that educates employees on appropriate behavior and provides resources to facilitate that behavior.

Additionally, certain groups require special attention because of the high-risk nature of their roles. These groups vary across companies, but common examples are data analytics teams that use customer data and HR teams that have employee information. These groups should receive additional, targeted training and communication that prepares them for risky scenarios specific to their roles.

Managers

In general, managers have more access to confidential data than nonmanagers. This access does not indicate a proportional increase in risk, however, because our research indicates that managers’ personal privacy behaviors are stronger than nonmanagers. Yet managers, given their influence on their teams, still have an outsized impact on an organization’s privacy behaviors.

For better or worse, managers set the standard for privacy behavior, and their teams follow it. Teams legitimize their decisions and prioritize competing interests — such as privacy and business outcomes — per their manager’s instructions and example. Unfortunately, several factors keep managers from emphasizing the right behaviors:

• Competing Objectives — Managers may fear that diverting employee attention to explain why good privacy behaviors are important could jeopardize business outcomes.
• Inadequate Preparation — Managers may not fully understand privacy expectations nor how to demonstrate or speak about them.
• Overwhelming Expectations — In addition to their core job, managers have many additional responsibilities and expectations, making it difficult to remember and prioritize privacy.

As a result of these factors, managers can often fall short. Our data shows only 51 percent of employees say their direct managers clearly explain what is expected with regard to data privacy policies, processes and laws.

To improve managers’ impact on their teams’ privacy behaviors, ensure they receive training — whether through privacy or another function — that focuses on their role in privacy risk management in addition to awareness training. Further, give them talking points, sample communications and other resources to help them engage with their teams. Finally, maintain channels for managers to ask questions and escalate concerns, and make sure managers are aware of these channels.

Senior Executives

Privacy leaders’ typical concern regarding senior executives (defined for these purposes as division head/vice president and above) is often that they do not set a strong tone at the top. This is a legitimate concern, as many employees report weak privacy signals from their leadership. When it comes to confidential information, our data indicates only 36 percent of employees say senior leaders visibly reward and celebrate examples of good privacy behavior, and only about half say senior leaders frequently talk about the importance of following company policies, laws and regulations.

However, an exclusive focus on tone at the top ignores other concerns. While they do influence employees, senior executives themselves should also be considered a high-risk group. Not only can senior leaders access more types of confidential information than lower-level employees, but, surprisingly, they often fail to take adequate measures to protect this information. Our data indicates more than one-third of them sent confidential data to an unauthorized person in the past 12 months and nearly one-quarter would violate privacy policies to get work done.

Senior executives may compromise their personal privacy behaviors because the consequences seem intangible compared to their looming deadlines and pressure to meet business objectives. Real-world examples can help them understand the consequences of privacy-related decisions. Positive examples such as how strong privacy behavior can increase customer loyalty, and negative examples, such as the financial, operational and reputational costs of privacy failures, can demonstrate the effect of privacy behaviors on business outcomes. These positive and negative consequences can also be connected to executives’ behavior and provide opportunities to teach them how to safeguard confidential data in scenarios they are likely to encounter.

All employees with access to confidential data have the potential to cause privacy failures, but they have widely disparate risk profiles and training needs. To protect their organizations, privacy leaders should tailor their risk management strategies to the unique characteristics of each employee group.