How Sensitive Data Leaks Through Everyday Workflows

The majority of organizations associate data security breaches and failures with extreme carelessness and the presence of potentially malicious internal cyber attacks. However, the most nefarious and damaging breaches are often caused by the smallest and most benign errors or oversights. 

Data leaks tend to be truly unintentional, of smaller volume, and, as such, regularly go unnoticed and unmonitored over time. If data leakage continues to occur over time, it can become as severe as a fully developed breach. 

Most data leak incidents are caused by a minor oversight or error that becomes a part of the employee’s day-to-day workflow. The following five workflow habits are the most common ways an organization may inadvertently allow sensitive data to escape from the organization.  

Recognizing these blind spots and applying best practices in security is essential for protecting the organization’s most valuable asset and sustaining long-term compliance.

KEY TAKEAWAYS

• Required for all devices issued by the Company to ensure encryption and protection of data.
• Utilize Artificial Intelligence Policies and Tools to Protect Input Information.
• Require VPNs to be used by all employees who are connecting externally to encrypt their traffic.
• Centralize Knowledge Repositories to reduce duplication of resources and eliminate silos of information.

Inconsiderate Document Sharing

Handoffs and collaboration are critical to most team-based workflows in an office environment. However, both the act of sharing itself and the contents including a document can lead to data exposure.

It’s all too common to enable access to a shared document through an open link. A single recipient who carelessly exposes or forwards that link is all it takes to compromise access.

On the other hand, you may believe that a document does not contain sensitive information and be in error. For example, the document’s current version may look alright, but a previous edit could have kept sensitive information that online writing software and cloud storage preserve. Even a document’s metadata, like email addresses, connected author names, or comments, reveals a lot.

The access challenges can be addressed through individual and timed links shared via a single agreed-upon source. It’s also a good idea to adopt a quick review policy before sending documents off to ensure no sensitive data is contained or traceable. 

Unmanaged Devices 

A source of headaches for IT departments everywhere, unmanaged devices are phones, the personal computers, and tablets employees use to interact with sensitive business data. The risks are many and diverse.

The OS and software on the device may be out of date, allowing cyberattacks by exploiting known weaknesses. Sensitive information may also be stored on them simply, without encryption. Couple that with weaker access control standards, and even a stolen laptop suddenly becomes a highly efficient attack vector.

The obvious answer is to insist on the exclusive use of company-sanctioned devices, done with adequate encryption and access control measures. Less obvious is making sure that the software employees use for backup and storage does not sync to their personal accounts and unsanctioned outside sources. 

Copy-Pasting into AI Chat Tools 

Generative AI, particularly large language models (LLMs), is quickly becoming an integral part of most people’s workflows. They excel at drafting reports, summarizing information, and providing templates for professional communication.

Unsurprisingly, people are speeding up tasks, such as answering emails or writing marketing copy by feeding the AI concrete data, much of which can be sensitive. The AI cannot respond without processing and storing such data. If it has other integrations, it may even pass the data on to third parties.

The solution moves down to policy and observability. A clear policy demands instructions on best practices when interacting with AI and defines in no uncertain terms what data is considered sensitive and off-limits for such interactions. AI guardrails enforce these boundaries automatically, helping prevent accidental exposure of sensitive details and ensuring compliance with internal and regulatory standards.

LLM observability tools track the data going in and out of AI systems. They can determine and preempt PII or other sensitive data from interacting with AI tools and log all cases of when this was attempted. LLM observability also allows personnel in charge of security and compliance to check repeated potentially harmful inputs and either train or sanction responsible users. 

Unsecured Wi-Fi 

Most of the employees still work in distributed teams. It’s also not uncommon for regular team members to check in while attending business trips or during vacation. Even if they do so using company-issue devices, the networks they connect to might be compromised.

Public Wi-Fi is the worst offender since it’s available everywhere, can be accessed automatically, and is easy to fake. An employee might be thinking they are working from a café’s Wi-Fi. In reality, they may unintentionally connect to a spoofed network that lets its creator check unencrypted traffic or redirect legitimate searches to malicious websites.

You cannot control where employees connect from, but you can make VPNs mandatory for accessing company networks externally. The VPN will encrypt the connection, making it impossible to track or intercept the data that is exchanged over it. 

Siloed Knowledge 

Collaboration usually extends beyond teams and departments, yet knowledge systems might not. Consequently, employees devise unsafe workarounds to access needed resources. For example, they may call colleagues to send a document through an unsanctioned communication tool.

Similarly, siloing resources may lead teams to create redundant knowledge bases. These may then contain different versions of the same documents, potentially complete with sensitive data that users are not aware of.

Silo breakdowns happen when setting up a centralized knowledge repository that serves as a single source of truth for everyone. Access to such repositories needs to be tracked about and logged. Moreover, naming and storage conventions required to be in place to avoid accidental duplication.

---