A popular advertisement asks, “What’s in your wallet?” I’ll go out on a limb here and say I probably know what’s in your wallet. It’s not much different than everyone else’s wallet. Credit cards, bank ATM/debit card, driver’s license, health insurance cards, family photos, important contact info and maybe some other personal information. So what is in your wallet isn’t too interesting.
A better question would be, “Who’s in your wallet?” I’m speaking figuratively, of course. In this web-connected world, all of that same information may be available on your computers or online in various cloud-hosted servers. It’s important to know who has access to your virtual wallet.
Your business also has a wallet of its own. Whether it’s an in-house server or cloud-hosted services, your business is keeping all sorts of confidential information. Employee records, customer/patient records, customer credit card numbers, sales leads and confidential company information that gives you a competitive edge. This is information that hackers and even your competitors would like to have.
It’s unnerving to think that a stranger may be maliciously sifting through your confidential information. It’s worse when you find it’s not a stranger. The biggest threat to your organization could be just a few feet away.
Corporate Data Breach
For many, the term data breach conjures up images of a seedy character in a dimly lit room, hunched over a keyboard, surrounded by computer monitors, working feverishly to break into some bank or government network. So it may surprise you to learn that 69% of data breaches are caused by employees. With a statistic like that, your employees are at the same time your greatest asset and your biggest liability.
As you might imagine, among the top offenders are disgruntled employees. From their perspective, they’ve been treated unfairly, passed over for that promotion too many times or paid less than others who don’t work nearly as hard. Or maybe someone tipped them off that they’re about to be terminated. Whatever the reason, they’ve reached their limit and now it’s payback time. Your competitors may be interested in a peek at your secret sauce recipe. Or maybe the employee will silently take those secrets with them to their next job to make a good impression. After all, they played a big part in creating that secret recipe, so they feel they own it. Fame and fortune might not be their motivation. They may simply want to bring you down. Deleting or strategically modifying important documents could certainly hurt. Better still, leaking protected information like patient health records or customer credit cards would not only impose heavy regulatory fines, but could cause many of your customers to take their business elsewhere. An unhappy employee with access to your company’s privileged information can do a lot of damage.
They’re not all malicious attacks, however. Accidents happen too. Emailing confidential information to the wrong person. Losing a laptop or USB flash drive. Even inadvertently allowing outside hackers access to the network. That last one is a big one. Although that is technically an outside threat, most often this is the direct result of the actions of an employee. Visiting a website hosting a drive-by installer or working from home on a computer infected with a virus, to name a couple. All very innocent and not intentional. Still, they do a lot of damage.
Reducing Data Breaches
Data breach is not a problem that can be solved by technology alone. While there are devices and services that may help with some types of breaches, many of the problems associated with data breach are tied directly to the will and action of employees. This makes it initially and primarily an HR issue. While we can’t control people, we can influence them. Education and established policies can guide and influence proper behavior and, to some degree, discourage improper actions. Once these are in place, we can apply appropriate technologies and reduce the vulnerability substantially.
External Threats Caused by Employees
Topping the list of data breach causes is employees unwittingly letting in the bad guys. You may have a lock on the front door of your home. But that lock won’t help you if you open the door every time the doorbell rings. Hopefully you take some precaution before opening the door, like looking out the window or asking who it is. Employees need to ask, “who’s there?” before opening their doors. Social engineering and phishing scams include emails enticing recipients to click a link, web pages that simulate an error message and scare users into calling a tech support phone number, and even phone calls from people claiming to be from a reputable technology company, just to name a few. All of these can lead to getting spyware and other malware installed on your employee’s computer, ultimately letting in bad actors.
Websites can have malware that exploits vulnerabilities in computers. Simply going to one of these websites is enough to become infected. In some cases, these aren’t even bad websites. There have been cases where people went to well-known, reputable websites and were infected by a virus that was loaded by a malicious advertisement.
Employees working from home pose a few threats. For one, home computers are generally not protected as well as corporate systems. You may be doing everything you can to keep your office network secure. But if an employee working from their unprotected home computer connects to your corporate VPN, or brings in a file from their infected home computer, that can compromise your network’s security.
Also in the “working from home” category is direct data breach from the employee’s home network. If an employee’s home computer is infected with spyware or other malware, bad actors can have access to that computer and, therefore, any company files contained on it. If the employee uses that computer to log in to corporate or cloud-based web portals, they could be inadvertently passing their user credentials to a bad actor.
Employees that are provided with mobile devices—whether laptop computers, tablets or smartphones—pose a threat if that device is lost or stolen. The device may have confidential information on it, or may have the ability to connect to corporate servers or cloud services with little or no authentication required.
Social media opens up a whole new set of problems, like cyber stalking. Everyone wants to have friends, followers and connections. But blindly accepting connection and friend requests from strangers can make one’s personal profile accessible to bad actors, providing them information about your company. For instance, from an employee’s LinkedIn profile a bad actor can find other employees in the company along with job titles and descriptions. They can piece together an organizational chart and know who reports to whom and who has access to what. Following those people on Facebook they’ll know who’s away on vacation or on a business trip and be able to slip things by that otherwise might have been questioned. Like spoofing an email from the boss to the bookkeeper asking to wire money to some account. Or to a sales manager asking for customer information. From Facebook, stalkers can gather information to figure out passwords, which commonly include spouse, children’s or pet’s names, birthdays and anniversaries. Even easier, they can find answers to common security questions such as mother’s maiden name, best friend’s name, favorite pet, etc.
According to a Symantec survey, 50% of employees surveyed who left or lost their jobs kept confidential data and 40% intend to use it at their new job. More than half said they believe it’s ok to do so because their employer didn’t enforce confidentiality policies. It’s hard to accept that half of your employees may have some confidential data in their possession and many of them intend to give it to your competitor someday.
Some take this information over time. Using a USB flash drive, free file sharing account (e.g., OneDrive, GoogleDrive, Dropbox, etc.) or personal email accounts, some employees keep their own personal collection of projects they’ve worked on and information that may help them in the future. Many don’t take confidential information until right before leaving the company. Some take it after they’ve left using remote access software that their employer forgot to disable or didn’t know the employee had installed.
As mentioned earlier, mobile devices can contain confidential data. Mobile devices are usually returned to the employer upon termination. But what about devices owned by the employee? This practice is known as BYOD or Bring Your Own Device. Many employers embrace this as a way to make their employees productive without paying for expensive equipment. A Tech Pro Research study shows that 74% of organizations either allow BYOD now or will within the next 12 months. With regard to data breaches, however, BYOD often results in KYED (Keep Your Employer’s Data). Since the employee owns the device, the employer can’t confiscate it upon termination so the data remains with the ex-employee.
What you can do
It’s important that an organization establish policies defining the rules and conditions of employment, including use of company resources. These may be separate documents or included in a broader document such as an employee handbook. The employee should be required to sign these agreements at hiring and at least annually. Employees should have these policies explained to them so they understand what they are agreeing to.
Once the policies have been established and agreed to by employees, measures can be put in place to prevent employees from accidently breaking the rules and to make it difficult to intentionally break them. It would be impossible to completely prevent employees from intentionally breaking rules, as there will always be a way for them to get around the system. But well written policies along with monitoring tools can make an employee think twice before willfully doing something malicious.
How strict or lenient your organization is with these is your decision. However, you should note that if you create a rule you should enforce it. If employees see you are not enforcing your policies they will not take them seriously. It’s also harder to take legal action if an employee can show that others have broken rules and agreements and got away with it.
Following are nine things you can do to reduce the risk of data breach in your organization. While not an exhaustive list, it’s a good starting point and food for conversation with your HR and IT people.
Nine Ways to Reduce Data Breaches
- Create a policy that defines what information is confidential. For example, contact information and all email correspondence with clients may be considered confidential. This policy should explain how it would hurt the organization if confidential information got into the wrong hands and what legal remedies the organization will take if this is violated. This may include, or be associated with, non-disclosure and non-compete agreements.
- Create a policy for appropriate use of resources. This policy should explain that the organization owns all equipment and services entrusted to the employee during their employment. This should include the proper use of company email. Upon termination, the employee must return all company-owned equipment and must return or destroy any company data residing on personal devices. The policy can also indicate that email and other forms of data transfer are monitored for appropriate use.
- Create a “work from home” policy. At a minimum, define a suitable work environment, comfortable and free of distraction. Moreover, provide minimum security requirements for the employee’s home network including security software, password requirements and possibly separation from other computers in the employees home, as appropriate for how work will be performed.
- Educate employees on cyber threats and how to avoid them. You might have your IT department or an outside consultant give a presentation or seminar on the latest threats. You may also include some related tips in your employee handbook.
- Establish (through technology) a policy of “least privilege.” This simply means that each employee is given access only to information needed to do their job. The less information they can access, the less they can breach.
- Create a procedure for employee termination. Rather than waiting until an employee leaves to figure out what to do, put together a checklist your IT people can follow to turn off access to computers, email, VPN, etc. Include in this list a scan for remote control or file sharing software the employee may have installed.
- Implement multiple layers of security. Antivirus software alone is not enough. At a minimum a firewall providing intrusion prevention services, as well as cloud services for blocking malicious sites are needed. Routinely monitor and install software security updates. Complete image backups of PCs and servers will be helpful if a computer is infected by malware beyond simple remediation means.
- Block access to personal email or file sharing accounts (e.g., GoogleDrive, Dropbox, etc.). While you may not be able to block all personal email accounts, you can block access to free sites like Gmail, Hotmail and others. Employees often create free accounts to send themselves—or outsiders—confidential information, bypassing the organization’s email system.
- Implement some form of Mobile Device Management (MDM). Whether company owned or BYOD, you should have a way to remotely wipe your data off mobile devices and block further access to your data.
As mentioned earlier, this is not a complete list. But hopefully it will get you and your senior staff looking at ways to reduce the threat of data breach in your organization.