Employees That Cause Data Breaches

When it comes to cyber-crime, it’s easy to imagine that the biggest threat to your company is external. However, more and more companies are realising that trusted and trained employees can also pose an enormous threat.

Indeed, a recent report by Haystax Technology discovered that 74% of organizations questioned “feel vulnerable to insider threats,” with 56% of security professionals certain that “insider threats have become more frequent” over the past year.

While some attacks and breaches are caused by employees with a grudge, many also occur due to negligence, perhaps ignoring a warning; failing to follow procedure, or simple human error. We have identified three types of employees that can cause a data breach. Read on.

1.    Innocent actions

When it comes to breach of data, innocent workers can cause as much damage as malicious hackers; a lesson learned by local authorities in Norfolk, Suffolk and Cambridgeshire, UK, which recorded over 160 data breaches between 2014 and 2015, the majority due to human error (including mobile phones being lost, letters being misaddressed and even a filing cabinet containing sensitive data being sold to a third party).

Another example can be seen with the 2016 data breach at the American firm Federal Deposit Insurance Corp. (FDIC). In this instance, an innocent former employee “inadvertently and without malicious intent” downloaded sensitive data onto a personal storage device.

With cases like those above, it is hardly surprising that 74% of those surveyed by Haystax were most concerned about this type of inadvertent data breach.

2. Careless or negligent?

You know the security warning that flashes up on your screen, do you always take immediate action? A survey by Google in 2013 discovered that 25 million Chrome warnings were ignored by 70.2% of the time partly due to users’ lack of technical knowledge, which led to the tech giant simplifying language it uses for its warnings.

Elsewhere, St. Joseph Health System suffered a breach in 2012 in which security settings were “misconfigured,” leading to private medical records being visible online. Due to the sensitive nature of the records it is perhaps unsurprising that the lawsuit which followed cost the company millions of dollars.

3. Malicious

Unfortunately, as well as human error, malicious actions by employees also play a part in insider data breaches. This is illustrated by the story of the UK’s communications regulator OFCOM, which discovered in 2016 that a former employee had sneakily been gathering its third-party data. Shockingly, the malicious activity had been taking place over a six-year period.

UK supermarket giant Morrisons also reportedly fell-foul of a disgruntled employee who posted the personal data of nearly 100,000 of its staff on the internet. Although the incident occurred in 2014, the company is still facing the prospect of further legal action by staff over the breach.

What can be done?

According to a 2016 survey, 93% of respondents consider human behavior to be the greatest risk to data protection. Nuix, which commissioned the survey, believes that corporations may start reprimanding employees who “misunderstand, misinterpret, or miscalculate longstanding security policies and procedures”.

And with the impact of a data leak causing damage to businesses, including financial losses and the damage to a firm’s reputation, it’s unsurprising that companies are open to finding ways to mitigate and limit computer misuse.

Increase employee awareness

Perhaps the most logical step for employers is to ensure that all employees are aware of the potential impact of their actions, and how to avoid inadvertent data loss. It is also important to involve all employees in appropriate training, rather than simply those involved directly with IT.

Keep information safe

According to ESET’s Stephen Cobb, “there are a million reasons to encrypt data”. While not embraced by all, encrypting data could be an important part of preventing data loss.

Monitor data, and behaviours

Keeping a close eye on computer use and the behaviours of individuals should enable businesses to remain aware of and identify unusual or risky activity. BOYD (bring your own device) schemes which operate in many companies should also be carefully monitored and controlled.

Look to the future

With the risk posed by employees, however innocent, potentially catastrophic to business, it is hardly surprising that employers seem set to take a much tougher approach to insider security threats in future years.

WeLiveSecurity

You Might Also Read: 

Directors Report:Cyber Security Checklist For Management (£):

Rapid Detection Is Key To Cyber Attacks On Business:

Bank Data Breaches Are Up And It's An Inside Job:

 

« Small Businesses Should Consider Cyber Insurance
Guidance For Connected Vehicle Security »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Mimecast

Mimecast

Mimecast delivers cloud-based email management for Microsoft Exchange and Microsoft Office 365 including archiving, continuity and security.

SAMATE

SAMATE

The Software Assurance Metrics And Tool Evaluation project is an inter-agency project between the US Department of Homeland Security and NIST.

Institute for Cybersecurity & Privacy (ICSP) -  University of Georgia

Institute for Cybersecurity & Privacy (ICSP) - University of Georgia

The goal of ICSP is to become a state hub for cybersecurity research and education, including multidisciplinary programs and research opportunities, outreach activities, and industry partnership.

Phew

Phew

Phew are New Zealand cyber security specialists with expertise and experience forged in global financial markets, IT&T, management consulting and SME business management.

Egyptian Supreme Cybersecurity Council (ESCC)

Egyptian Supreme Cybersecurity Council (ESCC)

ESCC is responsible for developing a national strategy to face and respond to the cyber threats and attacks and to oversee its implementation and update.

GuardianKey

GuardianKey

GuardianKey is a solution to protect systems against authentication attacks.

Metrarc

Metrarc

Metrarc has developed a ground-breaking technology called ICMetrics™ for deriving secure encryption keys from the properties of digital systems without the need to store any of the encryption keys.

BELAC

BELAC

BELAC is the national accreditation body for Belgium.

BIND 4.0

BIND 4.0

Bind 4.0 is an acceleration program geared toward tech startups with solutions applied to Advanced Manufacturing, Smart Energy, Health Tech or Food Tech fields.

Kaspersky Industrial CyberSecurity (KICS)

Kaspersky Industrial CyberSecurity (KICS)

Kaspersky addresses all the cybersecurity needs of industrial organizations in its Kaspersky Industrial CyberSecurity (KICS) portfolio.

LibraSoft

LibraSoft

Librasoft creates solutions to protect information from external and internal threats.

BridgingMinds Network

BridgingMinds Network

BridgingMinds Network is an industry leading best practices and IT security training provider in Singapore.

Tidal Cyber

Tidal Cyber

We formed Tidal for one simple reason—we believe that defenders need and deserve tools and services that make achieving the benefits of threat-informed defense practical and sustainable.

Access Venture Partners

Access Venture Partners

Access Venture Partners are an early stage VC firm investing in bold founders and helping every step of the way. Areas we give special focus to include cybersecurity.

CyberNut

CyberNut

CyberNut are a security awareness training solution built exclusively for schools.

Coalition for Secure AI (CoSAI)

Coalition for Secure AI (CoSAI)

CoSAI is an open ecosystem of AI and security experts from industry leading organizations dedicated to sharing best practices for secure AI deployment and collaborating on AI security research.

Sciber

Sciber

Sciber - data-driven cybersecurity. Strengthen your cyber defence with proactive, science-based and improvement-driven services.