Employees That Cause Data Breaches

When it comes to cyber-crime, it’s easy to imagine that the biggest threat to your company is external. However, more and more companies are realising that trusted and trained employees can also pose an enormous threat.

Indeed, a recent report by Haystax Technology discovered that 74% of organizations questioned “feel vulnerable to insider threats,” with 56% of security professionals certain that “insider threats have become more frequent” over the past year.

While some attacks and breaches are caused by employees with a grudge, many also occur due to negligence, perhaps ignoring a warning; failing to follow procedure, or simple human error. We have identified three types of employees that can cause a data breach. Read on.

1.    Innocent actions

When it comes to breach of data, innocent workers can cause as much damage as malicious hackers; a lesson learned by local authorities in Norfolk, Suffolk and Cambridgeshire, UK, which recorded over 160 data breaches between 2014 and 2015, the majority due to human error (including mobile phones being lost, letters being misaddressed and even a filing cabinet containing sensitive data being sold to a third party).

Another example can be seen with the 2016 data breach at the American firm Federal Deposit Insurance Corp. (FDIC). In this instance, an innocent former employee “inadvertently and without malicious intent” downloaded sensitive data onto a personal storage device.

With cases like those above, it is hardly surprising that 74% of those surveyed by Haystax were most concerned about this type of inadvertent data breach.

2. Careless or negligent?

You know the security warning that flashes up on your screen, do you always take immediate action? A survey by Google in 2013 discovered that 25 million Chrome warnings were ignored by 70.2% of the time partly due to users’ lack of technical knowledge, which led to the tech giant simplifying language it uses for its warnings.

Elsewhere, St. Joseph Health System suffered a breach in 2012 in which security settings were “misconfigured,” leading to private medical records being visible online. Due to the sensitive nature of the records it is perhaps unsurprising that the lawsuit which followed cost the company millions of dollars.

3. Malicious

Unfortunately, as well as human error, malicious actions by employees also play a part in insider data breaches. This is illustrated by the story of the UK’s communications regulator OFCOM, which discovered in 2016 that a former employee had sneakily been gathering its third-party data. Shockingly, the malicious activity had been taking place over a six-year period.

UK supermarket giant Morrisons also reportedly fell-foul of a disgruntled employee who posted the personal data of nearly 100,000 of its staff on the internet. Although the incident occurred in 2014, the company is still facing the prospect of further legal action by staff over the breach.

What can be done?

According to a 2016 survey, 93% of respondents consider human behavior to be the greatest risk to data protection. Nuix, which commissioned the survey, believes that corporations may start reprimanding employees who “misunderstand, misinterpret, or miscalculate longstanding security policies and procedures”.

And with the impact of a data leak causing damage to businesses, including financial losses and the damage to a firm’s reputation, it’s unsurprising that companies are open to finding ways to mitigate and limit computer misuse.

Increase employee awareness

Perhaps the most logical step for employers is to ensure that all employees are aware of the potential impact of their actions, and how to avoid inadvertent data loss. It is also important to involve all employees in appropriate training, rather than simply those involved directly with IT.

Keep information safe

According to ESET’s Stephen Cobb, “there are a million reasons to encrypt data”. While not embraced by all, encrypting data could be an important part of preventing data loss.

Monitor data, and behaviours

Keeping a close eye on computer use and the behaviours of individuals should enable businesses to remain aware of and identify unusual or risky activity. BOYD (bring your own device) schemes which operate in many companies should also be carefully monitored and controlled.

Look to the future

With the risk posed by employees, however innocent, potentially catastrophic to business, it is hardly surprising that employers seem set to take a much tougher approach to insider security threats in future years.

WeLiveSecurity

You Might Also Read: 

Directors Report:Cyber Security Checklist For Management (£):

Rapid Detection Is Key To Cyber Attacks On Business:

Bank Data Breaches Are Up And It's An Inside Job:

 

« Small Businesses Should Consider Cyber Insurance
Guidance For Connected Vehicle Security »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cynet

Cynet

Cynet simplifies security by providing a rapidly deployed, comprehensive platform for detection, prevention and automated response to advanced threats with near-zero false positives.

Cloudmark

Cloudmark

Cloudmark is a trusted leader in intelligent threat protection against known and future attacks, safeguarding 12 percent of the world’s inboxes from wide-scale and targeted email threats.

Momentum Cyber

Momentum Cyber

Momentum Cyber provides world-class M&A and strategic advice combined with unparalleled senior-level access to the Cybersecurity ecosystem.

Vintegris

Vintegris

Vintegris are a Certification Authority and manufacturer of innovative systems and applications for the full cycle of digital identity.

IoT Security Institute (IoTSI)

IoT Security Institute (IoTSI)

IoT Security Institute is an academic and industry body dedicated to providing frameworks and supporting educational services to assist in managing security within an Internet of Things eco-system.

Orca Security

Orca Security

Orca Security delivers full stack visibility including prioritized alerts to vulnerabilities, compromises, misconfigurations, and more across your entire inventory on all your cloud accounts.

Tapestry Technologies

Tapestry Technologies

Tapestry Technologies supports the Department of Defense in shaping its approach to cybersecurity.

Norma Inc.

Norma Inc.

Norma provides the secured wireless environment (WiFi and Bluetooth) with the unauthorized AP detection, and secures your IoT assets from various threats.

Stripe OLT

Stripe OLT

At Stripe OLT, we provide complete business technology solutions - Our team has an unrivalled reputation as a Microsoft Gold Partner, specialising in secure, cloud-first technology.

CloudDefense.AI

CloudDefense.AI

CloudDefense.AI is an industry-leading multi-layered Cloud Native Application and Protection Platform (CNAPP) that safeguards your cloud infrastructure and cloud-native apps,

Evervault

Evervault

Evervault provides engineers easy solutions to complex data security and compliance problems.

Systems Engineering

Systems Engineering

Systems Engineering is a SOC 2, Type 2-certified IT strategy and managed technology services provider.

GAM Tech

GAM Tech

GAM Tech is a Managed IT Service Provider that serves small and medium sized businesses in Alberta, British Columbia, Ontario and Quebec.

Arctera

Arctera

Arctera simplifies data management to keep you secure. Our company operates as three units - Data Compliance, Data Resilience, and Data Protection.

VCI Global (VCIG)

VCI Global (VCIG)

VCI Global is a diversified holding company. Through its subsidiaries, it focuses on consulting, fintech, AI, robotics, and cybersecurity.

Hurricane Labs

Hurricane Labs

Hurricane Labs is a managed security services provider (MSSP) that focuses on Splunk.