When it comes to cybercrime, it is easy to imagine that the biggest threat to your company is external. However, companies are realizing that trusted employees can also pose a threat, says CAREY VAN VLAANDEREN, CEO Of ESET SA.
While some attacks and breaches are caused by employees with a grudge, many occur due to negligence – perhaps ignoring a warning; failing to allow procedure – or simple human error. We have identified three types of employees that can cause a data breach.
- Innocent Actions
When it comes to a breach of data, innocent workers can cause as much damage as malicious hackers. Examples – and true-life stories – of human errors are: a mobile phone being lost, letters being misaddressed and even a filing cabinet containing sensitive data being sold to a third party.
- Careless of Negligent
You now the security warning that flashes up on your screen – do you always take immediate action?
A survey by Google in 2013 discovered that 25 million Chrome warnings were ignored by 70.2% of the time partly due to the users’ lack of technical knowledge, which led to the tech giant simplifying language it uses for its warnings.
Unfortunately, as well as human error, malicious actions by employees also play a part in insider data breaches. This is illustrated by the story of the UK’s communications regulator OFCOM, which discovered in 2016 that a former employee had sneakily been gathering its third-party data. Shockingly, the malicious activity had been taking place over a six-year period.
What can be done?
Corporations may start reprimanding employees who “misunderstand, misinterpret, or miscalculate longstanding security policies and procedures.
And with the impact of a data leak causing damage to businesses, including financial loss and the damage to a firm’s reputation, it is unsurprising that companies are open to finding ways to mitigate and limit computer misuse.
- Increase employee awareness
Perhaps the most logical step for employers is to ensure that all employees are aware of the potential impact of their actions, and how to avoid inadvertent data loss. It is also important to involve all employees in appropriate training, rather than simply those involved directly with IT.
- Keep information safe
There are many reasons why one should encrypt data – while not embraced by all, encrypting data could be an important part of preventing data loss.
- Monitor data, and behaviours
Keeping a close eye on computer use and the behaviour of individuals should enable businesses to remain aware of and identify unusual or risky activity. BYOD (Bring your own device) schemes which operate in many companies should also be carefully monitored and controlled.
- Look to the future
With the risk posed by employees – however innocent – potentially catastrophic to business, it is hardly surprising that employers seem set to take a much tougher approach to insider security threats in future years.
If you’re looking to improve your workplace cybersecurity effort, ESET’s free cybersecurity awareness training resource is a great place to start.