Train Workforce Members on Causes of Unintentional Data Exposure
Description
Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences.
Implementation Checklist
Tool Recommendations
Security awareness training platform with simulated phishing, interactive training modules, and compliance reporting
KnowBe4 · Per-user subscription
Adaptive security awareness and behavior change platform with targeted training based on real threat data
Proofpoint · Per-user subscription
Phishing simulation and security awareness platform with real-time threat intelligence and incident response
Cofense · Per-user subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Accidental Email of Sensitive Data to Wrong Recipient
ConfidentialityAn employee sends a spreadsheet containing customer financial records to an external party by misaddressing the email because they were never trained on the risks and prevention of mis-delivery.
Sensitive Data Published to Public-Facing System
ConfidentialityAn employee uploads an internal document containing trade secrets to a publicly accessible collaboration platform because they were not trained to recognize the risk of publishing data to unintended audiences.
Loss of Unencrypted Portable Device Containing Sensitive Data
ConfidentialityAn employee loses a USB drive containing unencrypted sensitive data at an airport because they were never educated on the risks of storing sensitive data on portable media without encryption.
Vulnerabilities (When Safeguard Absent)
No Training on Unintentional Data Exposure Scenarios
Without awareness of common accidental exposure scenarios, employees unknowingly share sensitive data through misdirected emails, improper sharing permissions, and unsecured portable devices.
Lack of Awareness About Data Sharing Platform Risks
Employees untrained on unintentional exposure risks may share files via public links, post sensitive data in wrong channels, or misconfigure sharing settings on cloud platforms.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Training completion records and compliance rates | Tracked continuously, reported quarterly |
| Document | Training content and curriculum documentation | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |