With the General Data Protection Regulation (GDPR) coming into force on the 25th May 2018, data has been at the front of everyone’s minds. Organisations are protecting themselves more than ever but it’s important to realise the cause of the breaches so that you can effectively protect your data.
One of the biggest risks to your organisation’s data is your own staff. It makes sense, after all, the people within your organisation don’t have to work quite as hard as an outsider to gain access to the data - usually, they’ve been granted the access freely!
According to Verizon’s 2018 Data Breach Investigations Report (DBIR) insider data breaches are actually more common (56%) than any outsider data breach (43%) - so it’s clear that insider breaches are something to sit up and pay attention to.
The 3 types of insider attacks
Malicious insider behaviour combines a motive to harm with a decision to act inappropriately. For example, Chelsea Elizabeth Manning (born Bradley Edward Manning), former United States Army soldier, was convicted by court-martial in July 2013 of violations of the Espionage Act and other offenses, after disclosing to WikiLeaks nearly 750,000 classified, or unclassified but sensitive, military and diplomatic documents, and was imprisoned between 2010 and 2017.
Negligent behaviour occurs when people look for ways to avoid policies they feel get in the way of them doing their jobs. They find workarounds to get their job done quickly but those workarounds can leave gaps when it comes to protecting data.
Negligent behaviour happened in mid-2016, when a staff member at the Whitehead Nursing Home in Northern Ireland took home an encrypted laptop. When their home was robbed, the laptop was taken, potentially releasing the data of 29 residents and 46 staff members. The home was fined £15,000 (around AUD$26,400) for failing to have any policies surrounding how staff members should go about taking encrypted devices home and for failing to train their staff regarding data policies. In this case, both the organisation and the individual were guilty of negligent behaviour, despite neither of them intending to be careless with the data.
We may hear more about malicious insider behaviour than any other type but completely inadvertent breaches are far more common than malicious ones. Employees can make mistakes and according to Verizon’s 2018 DBIR, errors were at the heart of almost 1 in 5 breaches. It happens particularly in the case of employees clicking on links that are not altogether trustworthy - 4% of people will click on a phishing campaign - and that’s all that an outsider attacker needs to get access to your organisation’s information. Add to that the risk of accidentally losing a flash drive with data or writing passwords down, it’s easy to see how data can be leaked without any intent to do so.
So if it’s so easy for insiders to either unintentionally leak data or to maliciously acquire and use the data they have access to, how can organisations avoid these kind of insider breaches?
Work on a ‘need to know’ basis
Not all employees need to be able to access all the data an organisation holds. Only allow employees to access the information they need to do their jobs and nothing more. It’s a small restriction but it could make all the difference.
Have the right technology
Using a program like Microsoft Sharepoint to make sure that employees only ever access information relevant to them is a good start but it still has its downfall - over time, collaboration environments evolve into an information portal and an environment of oversharing. In addition to that, SharePoint Administrators have access to all information, so implementing data-protection policies and backing them up with the right technology means that your organisation can reduce the risk of breaches and regulatory non-compliance. Secure Microsoft SharePoint with Berkeley’s ESSP solution.
Enforce and reiterate the importance of data-protection policies
Make sure that every employee knows exactly what the company policies are and the risks they run by not complying. Most employees will never intentionally leak data, so ensure that they know exactly why they should always be vigilant.
At Berkeley, we develop and deliver secure data protection and privacy solutions to government and commercial organisations to ensure that all organisations are complying with all relevant data and privacy laws. Get in touch with us today to find out how we can provide you with the right data protection solution for you. https://berkeley.solutions