Where employees are missing the mark on confidential information

Consumers trust organizations with a trove of confidential, personal data.

Even employees trust their employers to keep their private information safe. Unfortunately, confidential information continues to be exposed at an alarming rate, usually by poor computer security practices.

After three-quarters of the year, 2019 was on track to be the worst year for data breaches, with 7.9 billion records exposed—a 33 percent increase over 2018. For perspective, there are only about 7.8 billion people on the planet.

The exposure or theft of confidential information is especially concerning because it represents an intrusion on people’s lives—and a violation of their trust. Protecting that information isn’t just the purview of IT; front-line employees are also responsible for maintaining compliance and earning people’s trust in everything they do.

Through years of data-collecting, Learning Pool has identified confidential information and computer security trends and concepts in which employees are generally strong or lacking. Our findings paint a picture of optimism and reveal a path to better compliance.

Why protecting confidential information matters

Simplified, confidential information often falls into two priorities: protecting customer info and protecting company info. The former gets much of the attention in the mainstream—news about most data breaches include how many customer records were exposed. Cybercriminals use confidential information such as Social Security numbers, birth dates, credit card and bank account numbers, passwords, personal health information, and email and physical addresses to steal assets or identities from victims.

Yet protecting confidential company information is equally important because bad guys with access to sensitive documents and data can inflict real damage on an organization. The 2014 Sony Pictures breach is an example of the danger businesses face when private internal documents are compromised and revealed for the world to see.

Besides the reputational damage organizations might suffer from exposing confidential information—on top of the real-world repercussions that individual victims encounter—a host of guidelines and laws govern the protection of data that is supposed to remain private. GDPR fines are starting to become serious, and violations of HIPAA, the American law that includes the protection of patient health data, can also be expensive.

What our data says

Here at Learning Pool, we pride ourselves on being data mavens. Besides our courses providing our clients rich metrics and analytics, we’ve accumulated data from the millions of users who’ve taken those modules and answered questions about the real-world scenarios contained within. The insights from our confidential information and computer security course are promising, but also a little concerning.

The good news is that employees who have taken this course score a 90 percent, meaning they only need immediate coaching and feedback 10 percent of the time before demonstrating proficiency. That’s an impressive number and higher than some of our other technical compliance modules. Moreover, when broken down into more focused categories:

• Reporting scores at 97 percent.
• Records management comes in at 94.
• Electronic resources scores a 92.

These numbers suggest employees understand why protecting confidential information is serious and everyone’s responsibility.

However, the category covering information security basics scenarios doesn’t score as well, at just 82 percent. That’s not a horrible number, but it still suggests that one in five employees is not as proficient in digital best practices as they should be—and that’s more risk than you might want to accept. Although employees may accidentally share confidential information in a live conversation, too often, carelessness with electronic channels is what exposes data that should be protected.

Train for success

Company directives and IT-issued testing and alerts are good strategies for reminding employees of threats and best practices, but nothing beats online compliance training to drive home what people should and must know about confidential information and computer security.

As our data shows, employees are already strong in their knowledge of many key best practices. Great training not only strengthens that knowledge and teaches new, important concepts, but also builds a sort of “muscle memory” so that employees internalize compliance and don’t struggle with decisions; they know and execute the correct course of action.

To maximize learning, confidential information training should be interactive and relevant, immersing users into scenarios and situations they might encounter on the job. Also, the training should be adaptive, automatically adjusting with every interaction the employee makes during the course. In this way, learners who immediately grasp the material and those who struggle with the concepts arrive at the same destination—mastery of the subject matter—no matter the path taken to get there.

Organizations can also use the data from training to see where the weaknesses are and take steps to bridge those gaps. Predictive analytics identify problems before they turn into crises, which also strengthens employees’ core compliance knowledge and, ultimately, protects the company.

Compliance—and learning—never stops

Confidential information and computer security best practices are always developing and evolving—as sure as the bad guys continually figure out new ways to exploit what people and businesses are trying to protect. Furthermore, employees’ compliance knowledge may get a little rusty over time. One-and-done training, though better than nothing, doesn’t keep compliance top of mind with employees throughout the year and beyond.

Much like an individual course is a learning journey for the user, compliance is also an ongoing process, and regular training and awareness is needed to keep employees sharp, updated, and confident. Reinforcement tools such as microlearning and job aids operationalize compliance so that it’s more of a continuous responsibility and less something people only occasionally consider. Confidential information must remain confidential—and you can give employees the tools to help them make it so.