In mid-May 2017 unprecedented global hacks brought organisations including the NHS, Telefónica and FedEx to a standstill. Incidents such as this ensure that the public focus is firmly fixed on attacks by faceless criminal third parties. However when it comes to the protection of vital corporate and client data organisations must also recognise the risks much closer to home, posed by their own personnel. IBM's "2016 Cyber Security Intelligence Index" found that 60% of all attacks were carried out by insiders. Three quarters of these attacks were malicious, with the remainder involving reckless or inadvertent breaches by employees. It may be necessary to think again about how we tackle cybercrime, given the potential business ramifications, financial, reputational and operational.
Cyber risk isn't just a matter for an organisation's IT department or about having the most-up-to-date software. Employees need to be trained to understand cyber risk and given the tools to identify and deal with such risk appropriately. This can only be done effectively if the whole organisation buys into the process. This is fundamentally a governance issue: as with any other area of risk, it must be managed coherently with arrangements covering all of those who can access organisational information, including directors, employees and contractors.
Human error and malicious intent
Not all data breaches are deliberate or malicious: many are down to simple human error. It may involve a lost memory stick, an email inadvertently sent to an incorrect email address or papers being left in a public place. For example a mis-sent email sent from a London NHS Clinic in May 2016 attracted a £180,000 fine from the UK Information Commissioner after it revealed the email addresses of 700 users of an HIV clinic, the sender having typed the addresses into the "To" box rather than using the "Bcc" (blind copy) option. Similarly, dating website Guardian Soulmates saw the email addresses of its subscribers made publicly available as a result of human error on the part of a third party contractor.
Breaches frequently involve individuals sending confidential data out of secure work systems to personal email addresses, including to "bank" information in the event of a future dispute or for the purposes of new employment. For their "End-User Security Survey 2017" Dell commissioned a global survey of 2,608 professionals who handled confidential data at companies with 250+ employees in order "to find out how widespread the unsafe sharing of confidential data has become". Dell's results showed that "72% of employees are willing to share sensitive, confidential or regulated company information".
Data breaches can have a catastrophic impact. A good example is the 2015 Panama Papers case involving the offshore law firm Mossack Fonseca. An anonymous source leaked more than 11.5 million client files, going back four decades, to the German newspaper Süddeutsche Zeitungi. When news of the leak broke, the firm vehemently denied that there was anything wrong with the integrity of its IT systems, stating that it had been the victim of a hack by an outside third party. It ultimately transpired however, that the data had been disclosed by an employee of the firm, a disgruntled IT worker who systematically uploaded large amounts of client data over a prolonged period of time – purportedly because of moral concerns around worldwide income inequality.
According to the International Consortium of Investigative Journalists, an estimated $135 billion was wiped off the value of nearly 400 companies after the Panama Papers. Like the hacks affecting the NHS and others, the case demonstrates the extraordinary power of modern technology to stop business dead in its tracks.
What can you do to minimise the risk to your organisation?
The Cyberedge Group's "2017 Cyberthreat Defence Report" says that "once again, respondents cited users as the greatest obstacle to their organization's establishing effective defences, as "low security awareness among employees" topped the chart for a remarkable fourth consecutive year..."
So what can be done to address this problem?
There is no absolutely failsafe method of protecting your company data: an organisation is only as strong as its weakest link. However businesses can be alert to the risks, put in place appropriate plans to minimise the likelihood of a breach and have a breach response plan in place. This will ensure that if there is a breach the situation can be managed and damage minimised. Insurance policies should be reviewed, as the right policy may provide specialist external support in the event of cybersecurity incidents.
Education, education, education.
Equipping employees with the skills to recognise and manage cyber and information security risks, raising awareness of cybersecurity issues and instilling a culture of good data management will help build an organisation that appreciates the importance and value of the data that it holds. In particular a business should:
- Identify and understand the information held by the organisation, who it belongs to and why it is important.
- Identify the cyber risks that exist and the assets you are trying to protect.
- Put in place a robust (but workable and easy to understand) cybersecurity policy so your staff understand the risks faced by the organisation, how they must deal with information and what they must do if the integrity of the organisation's systems is breached.
- Educate your workforce to recognise and respond to security issues which arise.
So are employees a risk to the integrity of your business? Yes. But they can also be your first line of defence.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.