Many company executives claim that the biggest threats to their data privacy are external threats, such as hackers or state-funded cyber-threats. However, companies are actually more likely to experience a data breach from an internal source, whether it is malicious or accidental.
While data breaches by hackers or state-funded cyber-terrorism get the bulk of the attention (external threats), company leaders need to understand the need to be vigilant with current and former employees.
In one survey, 63% of respondents said they'd taken data from their previous company when they left a job. If more than 60% are admitting it, then the actual percentage is likely much higher. It’s not just younger employees -- who may be more likely to job-hop -- that are doing this.
On average, 46% of workers say they have taken data with them to a new
employer.
On average, 46% of workers say they have taken data with them to a new
employer.
However, almost 70% of company directors, those most likely (after IT) to have access to company data, take some form of data with them to their next company.
Employees bringing over data with them is just one aspect of an internal security breach. Almost 80% of senior-level employees and executives were more likely to intentionally share data against company policy according to another survey, compared with about 10% of administrative staff.
While employees and contractors are considered the number one cause of data breaches, it is the users with access to sensitive information that are perceived to pose the largest threat, followed by consultants and contractors.
Not necessarily malicious
This sharing may not be malicious. It can simply be a conversation at a meeting, an employee trying to impress a client, or the employee not having been trained adequately in protocols for keeping information secure.
An example of the latter was the March 2016 data breach by an employee of the Federal Deposit Insurance Corp. This employee “inadvertently
and without malicious intent” downloaded sensitive data relating to 44,000 customers onto a personal storage device. Fortunately, the download was quickly discovered, the employee realized the mistake, and signed a statement that the information had not been used.
and without malicious intent” downloaded sensitive data relating to 44,000 customers onto a personal storage device. Fortunately, the download was quickly discovered, the employee realized the mistake, and signed a statement that the information had not been used.
That incident may have ended well, but most don’t.
According to one security institute, breaches from employees or contractors with access to data were the leading cause of data breaches. The average cost of damage or theft from these breaches is greater than $1 million.
Likely, your company doesn’t have a spare million dollars it can access to replace and upgrade IT infrastructure and assets. But why do these incidents keep occurring?
- Insufficient data protection strategies and solutions
- An increasing number of devices with access to sensitive data
- The proliferation of sensitive data moving outside the firewall on mobile devices
- More employees, contractors, partners accessing the network
- Greater complexity of technology
- Growing adaption to the use of cloud apps and infrastructure
What can be done
IT leaders must understand what data is at risk at their company once there is an awareness of the broader scope of the issues. They then need to look at systems and employee training methods to protect data from inside breaches. Surveys generally have reported that employee data and
intellectual property were both at risk.
intellectual property were both at risk.
The same report noted that phishing remains the most cited cause of unintentional breaches. Again, upper-level executives were more likely than administrative staff to fall for this, as more than 60% of directors said they had sent data to the wrong person compared with less than 45% of administrative staff.
It is important to remember that the hacker aims to obtain data or information that can be sold. They do this by gaining access to a system by getting credentials or having an employee send them the data. Once a hacker is inside the system, they can then acquire access to any data that isn’t additionally protected.
People will make mistakes. Phishing attacks are increasingly sophisticated. However, IT leaders can significantly increase awareness and decrease the risk of these attacks by taking certain steps:
- Maintaining employee training on cybersecurity and risk
- Keeping up-to-date on employee access levels
- Changing these access levels when necessary
- Changing passwords regularly across the company
- Requiring multifactor authentication on specific resources
- Providing a secure off-boarding process for when an employee leaves the company
None of these steps will make the CTO popular with the CFO, as they all require time and resources. When compared to the alternative, taking the initiative and putting processes in place to reduce the risk of an internal data breach is worthwhile.