Careless employees are a bigger cyber threat than external hackers
Cyber attacks are in the news every day. Uber’s recent hack affected 57m people worldwide, and made headlines when it was revealed the company had paid $100,000 to recover data and keep the breach secret.
However, the attention given to high-profile hacks may be misleading – especially if they only focus on attacks from outside.
We may pay too much attention to highly-skilled external attackers, when some of the most damaging breaches come from inside, or are caused due to lapses in data hygiene.
Recent high-profile breaches – such as Equifax losing 145.5m records, Time Warner Cable’s breach affecting 4m customers, and Verizon losing 14m subscriber deals – were internal incidents occurring due to human error and security failures, where systems were left open for someone to walk straight in.
Rather than attacks by expert safecrackers, employees were leaving the door unlocked.
It’s happening everywhere. In January 2016 to September 2017, more than £2m was paid in fines to the Information Commissioner’s Office due to Data Protection Act breaches. However, external assaults only amounted for 26 per cent, or £530,000, of those fines, with approximately three times – £1,472,000 – coming from internal lapses.
More data has been lost through internal mishaps – such as stolen laptops, staff not properly using BCC on emails, or improper disposal of confidential documents – than has been stolen by external hackers.
Data protection has to look inwards, as well as outwards.
Organisations require external protection via cyber security software and solutions. Properly installing, configuring, maintaining and managing IT systems is crucial, especially when many cloud solutions are billed erroneously as secure straight out of the box. Proper data hygiene must be enforced internally, and everyone should be aware of their responsibilities.
A chief information security officer is integral to the running of a company, working with management to promote data-handling culture. Regular training sessions and policy updates should keep data protection protocols current, and ensure that staff don’t become complacent.
In addition to technical monitoring, staff should also be aware of what the correct approach is, so they can identify the wrong one.
Consumers continue to embrace the digital economy, often handing over personal details in the process. They need to believe their information will be handled responsibly. If it isn’t, they quite rightly want to know why, and will condemn organisations loudly and publicly.
Being careless results in huge brand reputational damage, adding lost revenues onto the financial damage of a fines. With GDPR regulations due to be tightened in May 2018, these fines will also become a bigger threat to everyone.
Every company will suffer an attempted hack within five years, and they must be protected externally. But they must also be aware of internal risks.
Good data hygiene is the difference between being viewed as the victim or the culprit by the law and the general public. A fine, even under GDPR, may be a one-off expense. However, being found guilty by the people has long-lasting effects.
Just ask Equifax or Verizon.
Read more: Privacy and cyber safety: Time to listen