Many regions around the world now have local laws regulating the processing and storage of personally identifiable information (PII). That’s in addition to the GDPR (General Data Protection Regulation), with which every company handling EU residents’ data in any way must comply.
Large organizations have relatively clear strategies for complying with all of those laws and regulations. Typically, they give an employee — a data protection officer (DPO) — the responsibility of ensuring compliance with the rules on processing personal data, and they allocate sizable budgets to the development of internal regulations and for conducting regular audits. However, a lack of resources can make compliance more challenging for small organizations.
The problem most often lies with employees, not all of whom are as careful as they should be with other people’s personal data. That carelessness can lead to unintentional leaks.
Consider one common scenario: employees who deal with PII daily storing scans containing personal data in a corporate shared environment. From their point of view, they’re simply uploading data to the company’s OneDrive or SharePoint directories. Strictly speaking, their actions do not constitute a leak, but they have made the data accessible to colleagues who may not be appropriately trained to work with such information and who therefore should not have access to it.
The problem is not that these colleagues will necessarily allow a data leak to occur. However, thinking that they do not have access to any supercritical or confidential information, they may accidentally leave their work laptop unsupervised from time to time. Furthermore, if the organization experiences an unrelated data leak incident, a surprise audit of its data processing and storage practices — and, potentially, hefty fines for allowing broad employee access to customers’ or employees’ personal data — may follow.
How to minimize the risk of personal data landing in shared access
The simplest way to keep personal data out of shared storage is to monitor whether employees use business collaboration tools to transmit such data. That is to say, you need to understand exactly what employees are sharing, where they store the information, and whether they share links to it with anyone outside the organization. In theory, you need a separate DLP solution to do that, but not all businesses have the resources for one. There is an alternative, though.
The Data Discovery feature in our latest Kaspersky Endpoint Security Cloud solution is an excellent option for any organization that uses Microsoft 365 services for collaboration. Data Discovery detects files containing PII or bank card data, clearly shows its location, and provides additional context — independent of whether the information is stored in a structured or unstructured format.
Although the feature currently operates only with German, Italian, and American document formats, we are continuing to refine it. We expect the product to support detection of other countries’ documents in the near future.
Control over alternative collaborative tools
We know that employees may sometimes go further and upload important corporate information onto third-party cloud services. In other words, they may be storing data in places and with tools whose security IT does not control.
We therefore recommend that you start by clearly explaining to your employees that they must not use third-party cloud services for confidential or sensitive data. Then, monitor all use of cloud services and block them as needed. Another feature in Kaspersky Endpoint Security Cloud — Cloud Discovery — can help there.
The Cloud Discovery and Data Discovery features supplement our solution's standard protection mechanisms. Thus, it not only protects companies from external cyberthreats but also makes compliance with personal data protection laws and regulations easier.