68 Percent of Employees Expose Critical Corporate Data by Mistake


A recent survey of 800 knowledge workers worldwide has found that 68 percent of professionals are exposing their companies' confidential information by failing to remove hidden data from documents they share with customers, suppliers or colleagues.

That's happening even though 65 percent of employees believe it's their responsibility to ensure that sensitive company data is not leaked.

The survey, conducted by Workshare, also found that 80 percent of employees use insecure file sharing methods, and almost 40 percent of respondents have used unknown Wi-Fi and Internet connections to share a file quickly.

"[I]f not sanctioned by IT, this sharing behavior leads to increasing levels of commercial and compliance risk as data leaves the confines of the corporate network without the control of IT groups," the report [PDF] states. "There is a definite need for IT to regain control over company data and educate users about the risks inherent in sharing high-value content, while enabling them to work the way they want."

Thirty-five percent of employees say they don't consider the content of a document at all when sharing it internally or externally, and 70 percent of those who forward emails with attachments without reading them first do not remove sensitive data before sending them.

Workshare is offering a free educational tool designed to help users detect hidden data in documents here.

These types of breaches unfortunately occur on a regular basis -- in March of 2014, a health plan administrator mistakenly emailed a spreadsheet containing Willis North America employees' names, email addresses, Social Security numbers and birthdates to an undisclosed number of employees; and in May of 2014, an attachment containing Hurley Medical Center employees' names and Social Security numbers was mistakenly included with an email sent to an undisclosed number of employees.

Third party vendors can also expose corporate data -- in March of 2014, communications vendor RevSpring mistakenly attached a document containing NCO Financial Systems customers' names, addresses and Social Security numbers to an e-mail to NCO loan customers.

And earlier this month, the U.K. Information Commissioner's Office (ICO) found Wales' Betsi Cadwaladr University Health Board in breach of the U.K.'s Data Protection Act after eight letters about patients were sent to the wrong address. "We accept mistakes can happen, but organizations must make sure employees handling sensitive personal information are given the necessary training to carry out their role," ICO Assistant Commissioner for Wales Anne Jones said in a statement.