When it comes to cybercrime, it\u2019s easy to imagine that the biggest threat to your company is external. However, more and more companies are realizing that trusted and trained employees can also pose an enormous threat.<\/p>\n
Indeed, a recent report<\/a> by Haystax Technology discovered that 74% of organizations questioned \u201cfeel vulnerable to insider threats,\u201d with 56% of security professionals certain that \u201cinsider threats have become more frequent\u201d over the past year.<\/p>\n While some attacks and breaches are caused by employees with a grudge, many also occur due to negligence \u2013 perhaps ignoring a warning; failing to follow procedure \u2013 or simple human error. We have identified three types of employees that can cause a data breach. Read on.<\/p>\n When it comes to breach of data, innocent workers can cause as much damage as malicious hackers; a lesson learned by local authorities<\/a> in Norfolk, Suffolk and Cambridgeshire, UK, which recorded over 160 data breaches between 2014 and 2015, the majority due to human error (including mobile phones being lost, letters being misaddressed and even a filing cabinet containing sensitive data being sold to a third party).<\/p>\n Another example can be seen with the 2016 data breach at the American firm Federal Deposit Insurance Corp. (FDIC)<\/a>. In this instance, an innocent former employee \u201cinadvertently and without malicious intent\u201d downloaded sensitive data onto a personal storage device.<\/p>\n With cases like those above, it is hardly surprising that 74% of those surveyed by Haystax were most concerned about this type of inadvertent data breach.<\/p>\n You know the security warning that flashes up on your screen \u2013 do you always take immediate action? A survey by Google<\/a> in 2013 discovered that 25 million Chrome warnings were ignored by 70.2%<\/a> of the time partly due to users\u2019 lack of technical knowledge, which led to the tech giant simplifying language it uses for its warnings.<\/p>\n Elsewhere, St. Joseph Health System<\/a> suffered a breach in 2012 in which security settings were \u201cmisconfigured,\u201d leading to private medical records being visible online. Due to the sensitive nature of the records it is perhaps unsurprising that the lawsuit which followed cost the company millions of dollars<\/a>.<\/p>\n Unfortunately, as well as human error, malicious actions by employees also play a part in insider data breaches. This is illustrated by the story of the UK\u2019s communications regulator OFCOM, which discovered in 2016 that a former employee had sneakily been gathering its third-party data<\/a>. Shockingly, the malicious activity had been taking place over a six-year period.<\/p>\n UK supermarket giant Morrisons also reportedly fell foul of a disgruntled employee who posted the personal data of nearly 100,000 of its staff on the internet<\/a>. Although the incident occurred in 2014, the company is still facing the prospect of further legal action by staff<\/a> over the breach.<\/p>\n According to a 2016 survey<\/a>, 93% of respondents consider human behavior to be the greatest risk to data protection. Nuix, which commissioned the survey, believes that corporations may start reprimanding employees who \u201cmisunderstand, misinterpret, or miscalculate longstanding security policies and procedures\u201d.<\/p>\n And with the impact of a data leak causing damage to businesses<\/a>, including financial losses and the damage to a firm\u2019s reputation, it\u2019s unsurprising that companies are open to finding ways to mitigate and limit computer misuse.<\/p>\n Perhaps the most logical step for employers is to ensure that all employees are aware of the potential impact of their actions, and how to avoid inadvertent data loss. It is also important to involve all employees in appropriate training, rather than simply those involved directly with IT.<\/p>\n According to ESET\u2019s Stephen Cobb, \u201cthere are a million reasons to encrypt data<\/a>\u201d. While not embraced by all, encrypting data could be an important part of preventing data loss.<\/p>\n Keeping a close eye on computer use and the behaviours of individuals should enable businesses to remain aware of and identify unusual or risky activity. BOYD (bring your own device) schemes which operate in many companies should also be carefully monitored and controlled.<\/p>\n With the risk posed by employees \u2013 however innocent \u2013 potentially catastrophic to business, it is hardly surprising that employers seem set to take a much tougher approach<\/a> to insider security threats in future years.<\/p>\n If you\u2019re looking to improve your workplace cybersecurity efforts, ESET\u2019s free cybersecurity awareness training<\/a> resource is a great place to start.<\/p>\n1. Innocent actions<\/strong><\/h2>\n
2. Careless or negligent?<\/strong><\/h2>\n
3. Malicious<\/strong><\/h2>\n
What can be done?<\/strong><\/h2>\n
Increase employee awareness<\/strong><\/h4>\n
Keep information safe<\/strong><\/h4>\n
Monitor data, and behaviours<\/strong><\/h4>\n
Look to the future<\/strong><\/h4>\n