Employees are a Huge Threat to Your Data: Strategies for Reducing Risk
Recently, Verizon published a report on cybersecurity and data breaches. See full report here. It is an interesting report focusing on the threat to data posed by insiders such as employees and third-party “partner organizations.” According to the report, one-fifth of cybersecurity incidents in 2018 were caused by insiders and 15% of data breaches were insider-caused. Not surprisingly, making money was the number one reason for engaging in data exfiltration. Interestingly enough, the number two reason was “pure fun” (23.4%).
Here at San Diego Corporate Law, we have highlighted the dangers of cyber-hacking and data loss. Immense damage can be done to your business in terms of cost and in reputational injury. Furthermore, the costs are only going to increase since the California Consumer Privacy Act became effective on January 1, 2019. It is crucial to have company policies and procedures in place; an experienced corporate attorney can help devise and draft such policies. Of particular importance is to have policies in place and hold training for employees. The Verizon Report highlights this point. According to Verizon, three types of employees are particularly worrisome — the careless worker, the inside agent, and the disgruntled worker.
The first category are employees who are negligent and careless or employees who just do not care. These types of employees will open suspicious emails, download apps and programs without thinking, will mishandle data and will break “acceptable use” policies. Notice that these employees are already violating the company’s use policies. Thus, the best policy reaction to these types of employees is to limit access. Negligent and careless workers should not have access to computers and systems from which customer data and confidential company data can be downloaded or exfiltrated. Procedures should also be in place for a constant and periodic review of programming that has been downloaded/installed onto company-owned and operated computers and devices throughout the workplace. Yes, there is cost involved in monitoring and checking the computer system. But that cost is vastly more affordable than what it will cost your business if there is a data breach.
The second and third categories identified by Verizon are particularly dangerous types of employees because the actions taken are deliberate and unforeseen to your business. But your business is still liable for the data breach and the resulting damages. An “insider agent” is an employee who is recruited, solicited, or bribed by an external party to damage your computer systems or exfiltrate data. “Recruited” covers the idea of “hack-tivism” where hacking and data theft/damage is motivated by political causes or ideology. The “disgruntled employee” is often the most dangerous type of threat because their anger leads to widespread destruction and/or release of data.
For these categories of employee threats, the focus of company policies should be on these issues:
- Constant vigilance in terms of access and systems activity
- Proper vetting of employees before hiring/promoting
- Watchfulness for signs of disgruntlement and/or recruitment by “bad actors”
- Limiting access with respect to scope (no access beyond what is needed) and timing (work hours)
- Limiting remote access
- Immediate termination of access (if there is an employee separation)
- Two-party access for particularly sensitive data and systems
- Vigorous security investigations
- And more
Contact San Diego Corporate Law
For more information, contact attorney Michael Leonard of San Diego Corporate Law. To schedule a consultation, contact Mr. Leonard via email or by calling (858) 483-9200. Mr. Leonard has been named a “Rising Star” four years running by SuperLawyers.com and “Best of the Bar” by the San Diego Business Journal. Like us on Facebook.