This article was updated on July 18, 2018.
Security breaches can do massive damage to any company's reputation and devastate bottom lines. Insider security threats — data breaches caused by employees, contractors or suppliers/vendors — are becoming a common occurrence. Any employee with a USB stick or laptop, whether acting with deliberate intentions or simply unaware of data security management, is capable of exposing your firm to massive data breaches that could embarrass you in front of stakeholders, regulators and the general public. Surprisingly, insider data breaches are generally more costly to firms than breaches made by external hackers, according to PwC.
Insider-caused breaches may be more common than you think. According to the 2015 Intel Security/McAfee report, Grand Theft Data, insider security threats are responsible for 43 percent of data loss. Half of those data losses caused by internal actors are unintentional, such as when an employee opens an email containing malware — but half of them are intentional and malicious. In reality, though, it doesn't matter whether they're an accident or not. Data loss can do untold amounts of damage to your organization.
Potential for Big Damage
You don't have to search for too long to find examples of data breaches that proved damaging to the organization involved. ComputerWeekly profiled UK supermarket chain Morrisons, which was targeted when a disgruntled internal auditor posted the salaries and confidential health data of nearly 100,000 employees online. Not only was the breach embarrassing for Morrisons, but it also resulted in an ongoing class-action lawsuit against the company by its employees, who accused the organization of negligence in protecting employees' confidential data.
Another high-profile data breach was at the U.S. National Security Agency (NSA) in 2013 when a contractor/consultant named Edward Snowden stole confidential information concerning government surveillance of U.S. citizens and shared it with the media, as Infosecurity Magazine recaps.
These examples are large breaches at major organizations, but the fact remains: No matter the scale or the organization in question, such insider breaches happen daily, compromising all sorts of employee-related data. Even if your business doesn't house such a large amount of private information, you still need to have your security locked down.
Intel Security found that the most common type of data breech is the leaking of employee information. In order to mitigate the potential for insider breaches, you'll need an array of tools: strong cybersecurity processes and policies, an experienced cybersecurity team, lots of cybersecurity training for your employees, good data-access controls, constant monitoring of data security practices, implementing monitoring technology (such as user-behavior analytics that can detect inappropriate activities) and more.
Here are four suggestions in more detail:
- Train, train, train. The goal is to prevent a large amount of data loss due to employee negligence/noncompliance. So, be sure to orient all new employees and train and test existing employees on your data management practices regularly. As the old saying goes, an ounce of prevention (in this case, awareness) is worth a pound of cure.
- Get to know your front door intimately. Have your HR managers and your cybersecurity team monitor access to confidential employee-related data. Try setting up automatic processes, such as onscreen alerts that refer to specific security or monitoring protocol.
- Invest in the available technology. Implement cybersecurity technology, such as encryption, firewalls, password controls and two-step authentication, to offer additional protection for sensitive data. Employees may complain that more layers of security make data more difficult to access, but make it clear that data-protection technology is essential to keeping company information safe.
- Monitor your cybersecurity procedures. When security protocol is violated — even if no data is lost — have a standard process in place to investigate incidents and punish offenders appropriately. While an initial incident involving an employee (for example, the one who leaves passwords on a sticky note) may be a learning or coaching opportunity, repeated incidents must be met with serious consequences.
The prevalence and high cost of insider security threats may be frustrating, but they should also be a catalyst for implementing change in the way you manage your confidential information. The cybersecurity challenges for HR leaders are large — but so are the potential losses of data, employer reputation and employee engagement, highlighting the need to get your entire organization on board.
SIGN UP FOR THE SPARK NEWSLETTER