Organisations must protect themselves and end-users from insider threat

We are all aware of the danger posed by hackers and spammers, malware and ransomware, but one of the most immediate dangers to your organisation’s cyber-security comes not from without, but from within.

The people who have access to your information ‘crown jewels’ on a day-to-day basis are those in your employ and therefore represent your biggest threat. 

But contrary to popular belief it is not the threat from ‘malicious insiders’ you need to worry about most; simple end-user error is the biggest risk you face when it comes to data.

This is where an employee in the course of their work makes a mistake, such as inadvertently sharing something with the wrong person or typing in the wrong email address, which causes a data breach.

Those trusted employees are, after all, only human and can and will make honest mistakes.

A Freedom of Information request to the Information Commissioner’s Office (ICO) last year revealed that human error was the biggest cause of data breaches in the first quarter of 2016.

According to its category breakdown of the cases, most of the 448 incidents of data breach or loss recorded could be attributed to human error, including 42 cases in which data was emailed to the incorrect recipient.

A recent example that made headlines was the data breach at Newcastle City Council, in which personal details of thousands of adopted children and their parents were accidentally leaked by an employee.

The employee in question inadvertently attached an internal spreadsheet to emails inviting adoptive parents to a party.

The authority has launched a review of data protection and the ICO is investigating. The member of staff has resigned.

Data breaches of this kind can be hugely damaging, with the possibility of huge fines from the ICO of up to £500,000, not to mention the reputational damage that goes with it and the upset to those whose personal information has been compromised.

The ICO cites a couple of examples on its website, including that of Surrey County Council, which was fined £120,000 after three data breaches involving misdirected emails, and North Somerset Council, which was fined £60,000 after five emails, two of which contained details of a child’s serious case review, were sent to the wrong NHS employee.

Organisations public and private, large and small need to recognise the insider threat, understand the nature of it and take steps to address it.

These are things that are very easy to do. First you need to ask who must take responsibility for the systems and solutions that will assist and protect your end-users?

Whoever is deemed responsible must then ensure not only that policies and procedures are put in place to mitigate against end-user error, but also that there is a tech solution.

Investing in next generation data classification and data loss prevention technology is highly recommended.

It’s about having intelligent classification linked to people and content. This also has to be linked to information access. Who can have access to your information? Can it be shared externally? 

The best tech will remediate in real time, detecting when an end-user tries to send an email to the wrong person, or inadvertently tries to share a restricted internal document with someone externally, for example, preventing that happening and reporting back to the responsible person.

On the rare occasions where you get a malicious end-user, an intelligent system can pick it up and highlight that someone is behaving inappropriately.

We also need to start looking at a culture change when it comes to data security. Every organisation is talking about digital transformation but those conversations need to include safety and security for end-users.

We have a blame culture in many organisations that penalises those end-users who make honest mistakes in the course of their work when it comes to data. 

Employees are fearful for their positions because they know if they take one wrong step they potentially face the sack.

This is wrong; instead of end users facing the sack for making honest mistakes employers should be putting systems in place that protect them.

Ultimately the only person who should lose their job from a data breach is the person responsible for data security within the organisation not someone just carrying out their day to day tasks.

Contribution by Dr Debbie Garside, CEO of GeoLang Limited, as originally published in SC Magazine: https://www.scmagazineuk.com/organisations-protect-themselves-end-users-insider-threat/article/1474101