July 12, 2018
When organisations create plans to prevent a data breach, the perpetrator they have in mind is almost always a third-party hacker whose main intent is to cause damage to the company’s wallet and/or reputation - not necessarily internal security challenges. What many organisations fail to realize, is that a substantial amount of data breaches occur from within the organisation itself. A data breach report by Verizon from 2016 showed that fifty percent of all security incidents, are caused by people inside an organisation.
What causes internal security breaches? There are cases of disgruntled employees who leak personal or proprietary data deliberately with malicious intent, but more often than not, these breaches occur by accident, due to human error or carelessness.
Take, for example, the data breach at Whitehead Nursing Home in Northern Ireland. One of the nursing home employees had taken an unencrypted work laptop home. While this posed a potential security risk, the employee would probably have been fine, if her house hadn’t been burgled and the laptop stolen. Sadly, this led to the personal data of forty-six employees and twenty-nine patients being exposed, including mental and physical health and 'do not resuscitate' orders.
In this example, the employee did not cause the breach intentionally. She didn’t mean for the personal data to be exposed to the wider public. However, her mistake caused not only personal data to be exposed, but also led to her employer being fined 15,000 pounds. Was this fair? Who was at fault here? These are not questions you have the luxury of asking after a breach occurs. A breach like this calls the organisation’s security practices and protocols into question, such as the way the organisation briefs their employees on handling personal or sensitive data, encryption protocols, processes and procedures for taking company assets offsite, etc. The breach and the fine could have been easily avoided, but this is not always the case, especially when an employee is deliberately out to cause a data breach.
Another common mistake employees can make with regards to confidential data is in the improper disposal of physical data. Many organisations overlook the fact that confidential data on paper can be equally as important and sensitive as online data. This can lead to some serious security lapses. For example, Singapore is known to have the “karung guni man”, an individual who goes around collecting unwanted items, including paper. When organisations improperly discard confidential papers, they wrongfully assume that the documents will be destroyed right away. Unfortunately, in many cases, the documents make their way to the karung guni man, often through the complicity of office cleaning teams. The karung guni sells it to recycling companies. The documents are usually still intact during the whole process and the organisation has no way of knowing where the documents are being taken nor any control over who gains access to the them, thus increasing the risk of a data breach.
Security professionals have to understand that when dealing with people, there are always going to be risks and these risks have to be identified and mitigated. Common security measures include implementing encryption programs on all devices to heavily reduce the chances of a breach if an item were to be stolen or lost. Other measures can include establishing security policies for employees and putting in the effort to be certain of an employee’s understanding of security procedures so that the risk of employees making security mistakes decreases and the chance for detecting a potential breach increases. For physical documents, secure destruction bins can be put in place and protocols can be established on how documents should be properly disposed of.
By broadening our view of data breaches to include employees instead of only focusing on external threats, organisations can take the proper steps to prevent a data breach whether deliberate or accidental.