Employees: Data Security's Biggest Threat?
When we think of threats to data security, you might think of those phishing email reminders you get from the IT department or those phone calls you get about your car’s extended warranty. Or perhaps you think of much more serious cyber security threats like ransomware or malware. You may even think that the biggest threat comes from hackers furiously typing on three keyboards as they consume Mountain Dew and Cheetos.
There are numerous threats to cyber security that often require training, incident response teams, and software solutions to ensure that data is taken care of--and for good reason. Some estimates show that cyberattacks cost the U.S. economy over $100 billion dollars. Understandably, this creates the need for an even greater expenditure on data security measures.
The data security industry in the U.S. alone is estimated to be about a $179 billion dollar industry. You would think that with billions of dollars being spent on cyber security each year that the major threats to cybersecurity would be well taken care of. However, what sort of safeguards prevent an employee from intentionally downloading and selling internal company data? Internal threats such as this are often overlooked and in many cases much more difficult to address.
The Biggest Threat to Data Security are Employees
According to a 2015 paper by Nuix in conjunction with Kaplan, 93% of IT professionals agreed that human behavior was the biggest threat to their organizations' data security. This can be anything from an employee leaving their laptop open in a public place to quite literally clicking on an embedded link in a phishing email. Internal human behavior, whether intentional or unintentional, can undermine even the most robust security measures.
Internal threats in general will typically have some degree of human activity. Whether intentional like downloading personal data onto an external hard drive or unintentional, like an ex-employee cleaning their hard drive and unknowingly taking the company’s sensitive information with them, internal threats are difficult to eliminate. Below we will cite a few examples of human behavior that spelled tragic loss for the parties involved.
Human Behavior At Work
For our first example and arguably one of the worst data security breaches is Equifax’s data breach that occurred in 2017. Equifax is a major player in the credit reporting space. Much of their data is very sensitive and can be easily used in conjunction with other data to steal the data’s subject’s identity. This Equifax breach was the result of an expired certificate which resulted in a vulnerability that exposed over 150 million individuals personal information. For perspective that is almost half the population of the United States and almost three times the population of the United Kingdom. Roughly 10 million of the users affected by this data breach were residents of the United Kingdom which resulted in Equifax receiving a fine from the United Kingdom of €500,000, the maximum allowable fine under the Data Protection Act of 1998 (GDPR would not go into effect until 2018). This enormous loss was quite the buzz in the media for a while and ultimately was the result of a missed email notification and the failure of updating the certificates on the employee side.
Next we will leap ahead to 2018. The Defense Travel System, a notification system utilized by the United States Department of Defense, unintentionally sent out an unencrypted email to the wrong mailing list. The email included an attachment that contained sensitive information including the banking information, social security number, and emergency contact information of roughly 21,500 marines, sailors, and civilians. The error here was simple. The individual involved literally selected the wrong email mailing list. Obviously sending out emails is an important function of a person’s role. However, even with conversation before sending, thoughtless human behavior can still override these small safety measures. Yet another example of a small error caused by human behavior that had astronomical consequences.
Another 2018 example comes from Strathmore College, a small private university in Kenya. In August of 2018, an internal user accidentally published more than 300 student’s records on the universities intranet giving access to students medical conditions, disabilities, and other conditions giving anyone on the network access to this sensitive information. For about 24 hours any student, parent, or teacher in the network could have downloaded this sensitive information. While these examples are all mere human oversight or mishap, an internal actor with malicious intent could easily cause the same if not worse damage.
Our final example and much more malicious one at that comes from the intentional collection of information over a six-year period by a former Office of Communications (Ofcom) employee. It was only discovered that this information had been pilfered from Ofcom's systems when the individual offered up the information to his new employer, a major television network. Luckily for Ofcom, the network did the right thing and alerted Ofcom of the breach and the individual was let go by the television network. In an official statement Ofcom asserted that while the breach of data was great the exposure was limited due the integrity of the television network.
Clearly based on these few examples, human behavior whether intentional or unintentional can have a massive impact on internal data security, so what can be done to mitigate this exposure?
Increase Employee Awareness
In this modern age, it is no longer enough for the IT department to be the experts on data security. Employees need to be properly trained and aware of the importance of data protection and security in order to mitigate risk. This is much more than a once per quarter email from IT on the dangers of phishing scams. A robust onboarding program that emphasizes best practices as well as detailed instruction on data security is a must in an age where we have everything to lose. One article by Forbes suggests that data privacy will be one of the most important issues businesses face over the next decade. It is important to instill a sense of urgency on the employee level in order to minimize the effects of careless human behavior on a data security level.
Set Clear Expectations for Security
Five years ago, taking your laptop home with you from work was probably seen as a norm, today at some companies this might be a major breach of security. Especially in the days of working from home and hybrid work environments having a clear set of policies and procedures is a must in order to instill clear understanding of workplace expectations on the employee level.
Overall, while cybersecurity today largely focuses on external threats to an organization, it is safe to say that internal security cannot be overlooked and pertinent and robust employee training is crucial to ensure adequate knowledge on the importance of secure data practices. Ultimately, even with the strongest exterior defense systems and safeguards, these can all be undermined by the actions of a careless individual within the organization. Now more than ever it is important for every level of an organization to take the necessary steps to become educated on best practices to ensure security on all fronts.