Employees That Cause Data Breaches

When it comes to cyber-crime, it’s easy to imagine that the biggest threat to your company is external. However, more and more companies are realising that trusted and trained employees can also pose an enormous threat.

Indeed, a recent report by Haystax Technology discovered that 74% of organizations questioned “feel vulnerable to insider threats,” with 56% of security professionals certain that “insider threats have become more frequent” over the past year.

While some attacks and breaches are caused by employees with a grudge, many also occur due to negligence, perhaps ignoring a warning; failing to follow procedure, or simple human error. We have identified three types of employees that can cause a data breach. Read on.

1.    Innocent actions

When it comes to breach of data, innocent workers can cause as much damage as malicious hackers; a lesson learned by local authorities in Norfolk, Suffolk and Cambridgeshire, UK, which recorded over 160 data breaches between 2014 and 2015, the majority due to human error (including mobile phones being lost, letters being misaddressed and even a filing cabinet containing sensitive data being sold to a third party).

Another example can be seen with the 2016 data breach at the American firm Federal Deposit Insurance Corp. (FDIC). In this instance, an innocent former employee “inadvertently and without malicious intent” downloaded sensitive data onto a personal storage device.

With cases like those above, it is hardly surprising that 74% of those surveyed by Haystax were most concerned about this type of inadvertent data breach.

2. Careless or negligent?

You know the security warning that flashes up on your screen, do you always take immediate action? A survey by Google in 2013 discovered that 25 million Chrome warnings were ignored by 70.2% of the time partly due to users’ lack of technical knowledge, which led to the tech giant simplifying language it uses for its warnings.

Elsewhere, St. Joseph Health System suffered a breach in 2012 in which security settings were “misconfigured,” leading to private medical records being visible online. Due to the sensitive nature of the records it is perhaps unsurprising that the lawsuit which followed cost the company millions of dollars.

3. Malicious

Unfortunately, as well as human error, malicious actions by employees also play a part in insider data breaches. This is illustrated by the story of the UK’s communications regulator OFCOM, which discovered in 2016 that a former employee had sneakily been gathering its third-party data. Shockingly, the malicious activity had been taking place over a six-year period.

UK supermarket giant Morrisons also reportedly fell-foul of a disgruntled employee who posted the personal data of nearly 100,000 of its staff on the internet. Although the incident occurred in 2014, the company is still facing the prospect of further legal action by staff over the breach.

What can be done?

According to a 2016 survey, 93% of respondents consider human behavior to be the greatest risk to data protection. Nuix, which commissioned the survey, believes that corporations may start reprimanding employees who “misunderstand, misinterpret, or miscalculate longstanding security policies and procedures”.

And with the impact of a data leak causing damage to businesses, including financial losses and the damage to a firm’s reputation, it’s unsurprising that companies are open to finding ways to mitigate and limit computer misuse.

Increase employee awareness

Perhaps the most logical step for employers is to ensure that all employees are aware of the potential impact of their actions, and how to avoid inadvertent data loss. It is also important to involve all employees in appropriate training, rather than simply those involved directly with IT.

Keep information safe

According to ESET’s Stephen Cobb, “there are a million reasons to encrypt data”. While not embraced by all, encrypting data could be an important part of preventing data loss.

Monitor data, and behaviours

Keeping a close eye on computer use and the behaviours of individuals should enable businesses to remain aware of and identify unusual or risky activity. BOYD (bring your own device) schemes which operate in many companies should also be carefully monitored and controlled.

Look to the future

With the risk posed by employees, however innocent, potentially catastrophic to business, it is hardly surprising that employers seem set to take a much tougher approach to insider security threats in future years.

WeLiveSecurity

You Might Also Read: 

Directors Report:Cyber Security Checklist For Management (£):

Rapid Detection Is Key To Cyber Attacks On Business:

Bank Data Breaches Are Up And It's An Inside Job:

 

« Small Businesses Should Consider Cyber Insurance
Guidance For Connected Vehicle Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

InfoSec People

InfoSec People

InfoSec People is a boutique cyber and technology recruitment consultancy, built by genuine experts.

Virgil Security

Virgil Security

Virgil Security provides easy-to-deploy and easy-to-use cryptographic software and services for use by developers and end-users.

Cyber Discovery

Cyber Discovery

Cyber Discovery, the UK Government's Cyber Schools Programme, is a learning programme designed to give young people the opportunity to learn the skills needed to enter the cyber security profession.

Redshift Consulting

Redshift Consulting

Redshift is an information management and information security consulting company offering a full range of services from infrastructure design to security assessments and network monitoring.

Cyber Security Education

Cyber Security Education

CybersecurityEducation.org is an online directory of cyber security education and careers.

Vigilant Software

Vigilant Software

Vigilant Software develops industry-leading tools for intelligent, simplified compliance, including ISO27001-risk management and EU GDPR.

Dutch Innovation Park

Dutch Innovation Park

Dutch Innovation Park in Zoetermeer is a breeding ground for applied IT solutions in the field of cyber security, e-health, smart mobility and big data.

VLATACOM Institute

VLATACOM Institute

Vlatacom Institute is privately owned accredited research and development institute, system integrator and turn-key solution provider. Areas of expertise include encryption and authentication.

StateRAMP

StateRAMP

StateRAMP reduces risk from unsecure cloud solutions and protects data by providing State and local governments a standardized approach for verifying and monitoring security postures.

DAtAnchor

DAtAnchor

Anchor is simply a better way to protect and control sensitive data. Zero-trust, data-centric security. Simplified.

Input Output (IOHK)

Input Output (IOHK)

IOHK is one of the world's pre-eminent blockchain infrastructure research and engineering companies.

Rocky Mountain Cybersecurity

Rocky Mountain Cybersecurity

Rocky Mountain Cybersecurity's mission is to provide value by dramatically improving the cybersecurity posture of our clients and business partners.

Clearvision

Clearvision

As an Atlassian Platinum Solution Partner, Clearvision works with teams in the UK and US, providing solutions for the Atlassian stack, Git and open source tooling.

Bastion Networks

Bastion Networks

Bastion are a security-focussed managed solution provider and consultancy. We work with advanced cyber security vendors to produce managed security solutions to protect from online threats.

ZoobeTek

ZoobeTek

ZoobeTek are a company focused on preventing leaks related to the security of business information3.

TIM Enterprise

TIM Enterprise

TIM Enterprise offers innovative, sustainable and secure 360-degree digital solutions to companies and public administrations.