Data Security Threat: Employees
The unprecedented COVID-19 pandemic beginning in March of 2020 provoked drastic changes in company operations. This pandemic put many businesses to the test in formulating meaningful strategies for successful operations while protecting their employees from virus exposure.
At the same time, companies have no choice to keep operations going via ‘work from home’ and going digital faster than originally anticipated. These changes introduce new security challenges, both in cyber security and the behavior of employees.
Plenty of companies are not taking basic steps to improve their readiness in data protection, leaving them exposed to breaches that can threaten their existence.
Traditionally, pre-employment screening has been the main way organizations guard against insider attacks, particularly for jobs requiring a security clearance. Checking references from previous employers may highlight concerns about an individual’s reliability or temperament, conducting criminal-record checks may show an individual is unsuited to working with sensitive data, and credit-checks may show financial vulnerability.
However, screening is a point-in-time assessment, and once someone joins a company, he or she is rarely if ever checked again. Data from a 2013 UK government study found that 76% of inside attackers had not joined the company with the intention of stealing data or sabotaging operations. The decision to act maliciously came as a result of changes in the employee’s financial situation, because of the desire for recognition, due to a negative work experience, or drug or alcohol dependency or poor management. Only 6% of the 120 cases in the study came as a result of deliberate infiltration, while the remainder were coerced by third parties to engage in an attack.
Technology is not a silver bullet, but it certainly is a bolster in a company’s defenses against insider attack. Artificial intelligence and behavioral analytics can identify user actions that diverge from the norm, such as employees accessing the corporate network outside of normal hours or trying to view restricted data.
Effective management is key to early detection of disgruntled employees, as is ensuring employees only have permission to access the data they need to perform their role.
Looking at this scenario, it is essential that companies take the role of the Data Protection Officer (DPO) seriously and provide the DPO with the tools that are required (and available) to control what’s going on in all departments and subsidiaries of the organization, with special emphasis on employees in operations. Why? Data breaches mostly happen on the operational level, maliciously or by mistake. It is essential that companies are looking at five simple steps:
Create a Governance Structure – Appoint a DPO (as the Philippine Data Privacy Act provides) and create a governance structure to collaborate on the Privacy Program.
Identify Risks – Identify inventory risks, process risks, compliance risks and project/product risks which, if not controlled, may result in privacy breaches or incidents.
Manage Programs – Communicate policies, ensure the implementation of controls and achieve accountability by staff and management.
Sustain Compliance Initiatives – Train and test staff and conduct audits on an ongoing basis to sustain initiatives.
Respond to Data Subject Requests and Incidents – Document and manage incidents and breaches, and data subject requests.
Is there software to achieve operational compliance with data protection, implement data protection and demonstrate accountability to regulators? Yes, there is (you can ask me for assistance).
In conclusion, finding a balance between trusting employees and verifying they are performing within the bounds of information-security policies is a key part of any cyber-risk management program. Getting it wrong can have devastating business consequences. If you need assistance, let me know — you can contact me at Schumacher@eitsc.com