Iain Johnston – COO
Employees can be one of a company’s most valuable assets. They form the backbone of business operations while also acting as your ambassadors to the general public. They can be your biggest advocates, but they can also be your biggest risk.
The recent data breach of accountancy software provider Sage is a prime example of the threat to security posed by opportunistic, malicious or disgruntled members of staff. It certainly serves to demonstrate just how damaging it can be to neglect internal security processes.
Sage seems to be handling its data breach according to the rule book. The company has notified the Information Commissioner’s office, contacted affected customers and issued a statement to the media. But only time will tell the long term impact of the breach on customer trust and brand loyalty, and the subsequent knock-on effect on share prices, profits and employee retention.
A huge amount of time and money is spent trying to stop cyber-criminals from hacking into operating systems and data sources. But it’s high time that some of this effort is directed towards protecting companies from those threats within the organisation.
Insider threats are nothing new
The threat of an insider attack isn’t a new phenomenon. Back in 2014, the FBI was already warning companies to look closer to home when evaluating their security risks. The government organisation’s advice was to implement user-centric identity and access management programmes to mitigate the chances of getting breached from within.
But it would seem that people are still failing to heed the warnings. A recent survey looking at industry attitudes found that although 90 per cent of organisations were aware of the threat posed by insiders, only half were equipped to deal with an internal attack on data.
Not even those organisations that are considered to be some of the most secure in the world are impervious to an insider data breach. Just look at the case of Bradley Manning supplying classified Department of Defence documents to Wikileaks, or Edward Snowden leaking NSA secrets to journalists from The Guardian and The Washington Post. The latter is soon to be released as a Hollywood blockbuster, illustrating the height these types of breaches can reach.
Lock the doors from the inside
It’s unsurprising that the weakest spots in security are where humans are involved. Whether it’s a spear-phishing attack on a PA with access to passwords or directly on a CEO, or simple errors such as a call centre agent writing down numbers on bits of paper, it’s often internal processes that need looking at.
There’s no magic formula to combat this. However, an information security management system certified to ISO27001, regular Disclosing and Barring Service (DBS) checks and a well-defined whistle-blower policy can help. Knowing what data is stored where, and who has access to it, is also key.
As far as possible, a company’s main objective needs to be to minimise the places where sensitive data is held. The more systems that access data, the more opportunities there are for it to fall into the wrong hands. It’s in everyone’s best interest that employees aren’t bearing a security burden that’s just too heavy; and if the data’s not there, nobody can hack it.
At the end of the day, insider attacks on data are just as costly and will do just as much damage to your reputation as being breached by a hacker. Therefore, it’s crucial to bolster both internal and external security to keep your customers’ data safely out of the hands of criminals.