Most people equate data breaches with external hackers and data thieves that compromise the company’s data storage systems and steal the data for their own gain. This picture, while correct to an extent, is however very limited.
Internal breaches and damage stemming from individuals connected with the company are on the rise. Sometimes this is due to malice, but often – and more worryingly – due to negligence. This kind of damage is tragic because it is preventable, yet it occurs so often.
A 2016 report by Ponemon Institute LLC, funded by Experian Data Breach Resolution, shows that 55% of all companies experienced a security breach that was a result of a malicious or a negligent employee.
There are two major ways this can happen: an employee could have malicious intentions, or be subject to a phishing attack, such as fake e-mails. Malware is another way data can leak, but occurs less often.
In half of the cases, companies use some kind of password management policies. 40% use device encryption, containerisation and mobile device management. Only a quarter practice full disk encryption of laptops (and, conceivably, do not adequately protect the employees’ BYOD devices).
ID Is King
When it comes to physical security, 80% of companies use ID cards or biometric information to access the premises, and about a half shred their confidential data. Again, employees are required to have a privacy shield on their PCs in only a fifth of the surveyed companies.
You might feel 2016 data is too old, and that those figures do not apply anymore. Sadly, you would be wrong. Not much has changed since then. A new report by the US company Beazley states that about 30% of the breaches in the first half of 2017 were caused by employee error or while the data was controlled by third party suppliers.
Healthcare seems to be particularly plagued with accidental data disclosure issues. Up to 42% of all breaches are the result of personal negligence.
More worryingly, whereas rank and file members are required to take data protection courses, CEOs and high-level executives mostly do not take them. This sets a bad example and also exposes very sensitive and risky data to breaches if the management do not adopt adequate policies.
Data Breach Prevention: Do Programmes Work?
How can companies prevent these employee-driven breaches? First and foremost, by employing good employee education policies. Then, reducing employee turnover is a worthwhile method as well. And finally, proper employee selection and pre-employment filtering can ensure that bad apples do not even step foot within a company.
Companies can also enact internal security measures that do not rely on its employees’ honesty. Instead, various access controls and data containment policies can dramatically curb the number of potential breaches. The less data there is to go around, the lesser the risk of someone compromising it.
Experience shows that training programmes work only on negligent employees. They do little to prevent criminal and malicious behaviours by employees. Physical security is the best option in this case.
Fortunately, most companies understand that data protection training programmes do not work as well as advertised. Only 17% claim they are very effective. These programmes have their limitations. Most are basic and focus on password security, privacy laws, and protection of paper documents. Most do not cover social media related dangers and installation of potentially risky software.
More than half of the responders claimed the course did not go over phishing and social engineering attacks. About 40% say the course covered mobile device security, whereas 30% say they were informed about proper use of cloud services.
Incentives for employees who are conscientious with sensitive data are a great motivational tool. The benefits can be financial or lead to a better performance report. Conversely, while negligent employees should be punished accordingly, investing in their education could be viable as well. Sadly, 30% say their employees must retake a training course after experiencing a data breach.
The Future of Employee Breaches
However, if the current trends are to go by, there is no end in sight when it comes to employee breaches. Experia’s report shows that only one third of polled executives consider employee knowledge on data security risks as a high priority issue.
We can only hope the GDPR will provide that nudge forward that will force companies and organisations to enact proper measures at last.