Within the last 12 months, a huge number of businesses have fallen victim to an internal security breach. These have included high profile organisations as Sage Group, whose payroll processing software is estimated to be used by more than half of Britain’s businesses. Talk Talk and Morrisons followed suit, with the former losing more than 100,000 customers as a result.
It is believed that business employees pose the greatest threat, having access to vast amounts of sensitive information on a daily basis, with the most common data breaches occurring when an employee, either intentionally or negligently, fails to follow security protocols.
The Legal Implications
“The often sprawling and collaborative nature of legal work, spanning both internal and external parties, means that the risk of leaks and data breaches is particularly pronounced.” www.baristermagazine.com
Studies show that internal employees account for 43% of data loss, with 50% of these cases being accidental. However, there are studies which suggest the numbers are as high as 85%. The legal implications are vast for any type of business, with fines for data breaches now reaching up to £500,000. Failure to inform all necessary parties upon the event of a data breach could even lead to a closure of chambers. Legal chambers who hold a considerable amount of sensitive information about both employees and clients, and who share it for collaborative purposes, need to be aware of what they are looking for and how to prevent it.
What information are potential hackers looking for?
For internal hackers, there are a number of possible information targets. It may come as a surprise to know that “[Internal actors] do seem to care more about employee information; it’s possible it’s for recruiting,” according to Rees Johnson, SVP and AM of Contest Security Business at Intel.
In fact, statistics show that internal hackers target employee information in 32% of cases, while customer information is targeted around 25% of the time. Surprisingly, perhaps, payment card information accounts for the lowest percentage of cases, standing at around 10%.
What are their aims?
As in the case of the Sage Group employee hack, personal financial gain is just one reason an internal hacker may choose to steal confidential employee information. In other cases, such as that of Morrisons and an unexplained incident at British Gas, employee and customer information was stolen and posted online for various purposes. There are also the possibilities of identity theft and blackmail and, as mentioned above, employee information being passed on for potential head-hunting opportunities.
How do they do it?
On occasion, large amounts of data are stolen at random and analysed later for their potential usefulness. Stealing data has become easier with the prominence of devices that can store large amounts of data, from USB sticks to smartphones. Such devices can download considerable amounts of information in a very short time, either by being linked directly to a networked computer, or linking wirelessly via Bluetooth and Wi-Fi facilities.
Spear phishing emails can also result in employees inadvertently disclosing private information, from passwords to financial details. Sadly, emails like these are now almost indistinguishable from legitimate ones.
There is also the unfortunate loss of storage devices, from laptops to smartphones, which can be disastrous if these devices are not properly protected. Luckily, there are relatively simple ways of protecting from such internal data leaks.
Preventing an internal data breach
There are a number of steps that must be taken to protect your data from internal threats, both intentional or otherwise. The first step is to make sure all employees are aware of data protection guidelines and the damage their negligence in this area could cause. Since ex-employees can also pose a threat for some time after they have left your employ, exit interviews can help an employer analyse any potential threats they could pose.
On a more direct level, strict usage policies on external storage devices should be implemented, and all devices used by employees to store confidential data should be password protected at start-up. Employees should develop a habit of deleting old emails, call logs and unwanted files. Regular data security audit assessments should be carried out, and in the case of phishing emails, anti-phishing toolbars can be utilised and a roster kept of well-known phishing sites.