sb-as logo
Story image

The three types of employees that can cause a data breach

29 May 2017

When it comes to cybercrime, it’s easy to imagine that the biggest threat to your company is external. However, more and more companies are realizing that trusted and trained employees can also pose an enormous threat.

Indeed, a recent report by Haystax Technology discovered that 74% of organizations questioned “feel vulnerable to insider threats,” with 56% of security professionals certain that “insider threats have become more frequent” over the past year.

While some attacks and breaches are caused by employees with a grudge, many also occur due to negligence – perhaps ignoring a warning; failing to follow procedure – or simple human error. We have identified three types of employees that can cause a data breach. Read on.

1. Innocent actions

When it comes to breach of data, innocent workers can cause as much damage as malicious hackers; a lesson learned by local authorities in Norfolk, Suffolk and Cambridgeshire, UK, which recorded over 160 data breaches between 2014 and 2015, the majority due to human error (including mobile phones being lost, letters being misaddressed and even a filing cabinet containing sensitive data being sold to a third party).

Another example can be seen with the 2016 data breach at the American firm Federal Deposit Insurance Corp. (FDIC). In this instance, an innocent former employee “inadvertently and without malicious intent” downloaded sensitive data onto a personal storage device.

With cases like those above, it is hardly surprising that 74% of those surveyed by Haystax were most concerned about this type of inadvertent data breach.

2. Careless or negligent?

You know the security warning that flashes up on your screen – do you always take immediate action? A survey by Google in 2013 discovered that 25 million Chrome warnings were ignored by 70.2% of the time partly due to users’ lack of technical knowledge, which led to the tech giant simplifying language it uses for its warnings.

Elsewhere, St. Joseph Health System suffered a breach in 2012 in which security settings were “misconfigured,” leading to private medical records being visible online. Due to the sensitive nature of the records it is perhaps unsurprising that the lawsuit which followed cost the company millions of dollars.

3. Malicious

Unfortunately, as well as human error, malicious actions by employees also play a part in insider data breaches. This is illustrated by the story of the UK’s communications regulator OFCOM, which discovered in 2016 that a former employee had sneakily been gathering its third-party data. Shockingly, the malicious activity had been taking place over a six-year period.

UK supermarket giant Morrisons also reportedly fell foul of a disgruntled employee who posted the personal data of nearly 100,000 of its staff on the internet. Although the incident occurred in 2014, the company is still facing the prospect of further legal action by staff over the breach.

What can be done?

According to a 2016 survey, 93% of respondents consider human behavior to be the greatest risk to data protection. Nuix, which commissioned the survey, believes that corporations may start reprimanding employees who “misunderstand, misinterpret, or miscalculate longstanding security policies and procedures”.

And with the impact of a data leak causing damage to businesses, including financial losses and the damage to a firm’s reputation, it’s unsurprising that companies are open to finding ways to mitigate and limit computer misuse.

Increase employee awareness

Perhaps the most logical step for employers is to ensure that all employees are aware of the potential impact of their actions, and how to avoid inadvertent data loss. It is also important to involve all employees in appropriate training, rather than simply those involved directly with IT.

Keep information safe

According to ESET’s Stephen Cobb, “there are a million reasons to encrypt data”. While not embraced by all, encrypting data could be an important part of preventing data loss.

Monitor data, and behaviours

Keeping a close eye on computer use and the behaviours of individuals should enable businesses to remain aware of and identify unusual or risky activity. BOYD (bring your own device) schemes which operate in many companies should also be carefully monitored and controlled.

Look to the future

With the risk posed by employees – however innocent – potentially catastrophic to business, it is hardly surprising that employers seem set to take a much tougher approach to insider security threats in future years.

If you’re looking to improve your workplace cybersecurity efforts, ESET’s free cybersecurity awareness training resource is a great place to start.

Article by welivesecurity.

Link image
The role of the enterprise data cloud in powering up your data
A new approach is needed for enterprises that want to leverage their data to its fullest extent.More
Link image
The wide world of data: Clear, actionable insights in one hub
Whether you’re interested in modern data warehouses or data ingestion and collection, this is your one-stop hub for creating strategies that deliver data insights that you can take action on.More
Download image
Why “encrypt everything, everywhere, all the time” needs to be common sense
Virtualized environments are the norm, and it is time for cryptographic infrastructure to catch up.More
Story image
Just 6,000 accounts responsible for over 100,000 email attacks - report
Barracuda has today released a report detailing how 6,170 malicious accounts that use Gmail, AOL, and other email services were responsible for more than 100,000 business email compromise (BEC) attacks on nearly 6,600 organisations. More
Story image
Internet outages drastically increased during COVID-19 lockdowns, report finds
Global internet disruptions increased 63% in March, with internet service providers hit the hardest. This is according to the 2020 Internet Performance Report from ThousandEyes, the internet and cloud intelligence company.More
Story image
Why greater network visibility is needed to reduce the threat posed by IoT in the enterprise
At home and abroad, organisations have joined the rush to embrace Internet of Things (IoT) technology, but a new survey shows they’re only just beginning to wake up to the enormous risk those devices pose, writes ExtraHop A/NZ Regional Sales Manager Glen Maloney.More