Are Your Employees a Threat to Your Security?
- Dave Coriale
- June 28, 2016
Everyone makes mistakes. But what happens when an employee misstep threatens your security? The resulting fallout would not only damage your organization, but also impact external stakeholders—your members, donors, etc.—whose data you are charged with protecting.
Employees Should Be An Asset, Not A Security Threat
Often, when we think of cybersecurity threats, shadowy images of hackers or criminals come to mind. However, security incidents can also be an inside job. According to Experian’s data breach forecast, 59% of security incidents or breaches are attributed to employees.
What’s the difference? A security incident violates an organization’s security or privacy policies, while a breach meets specific legal definitions and must be reported.
Whether security incidents or breaches are malicious or unintentional, they carry the same risk to your organization. This post will help you understand the preventive actions you can take to help your employees avoid common security pitfalls and protect your organization from employee abuse of privilege
In 2014 an employee at Rady Children’s Hospital in San Diego accidently emailed protected health information of 200,000 patients to a job applicant. The employee intended to send training information but selected the wrong file. Oops!
This and similar incidents are examples of miscellaneous employee error. Miscellaneous errors occur when an employee unintentionally compromises secure data. These errors include user failure, carelessness, lack of knowledge or expertise, and improper training. In 2015, there were 11,347 incidents of miscellaneous employee error—197 resulted in confirmed instances of exposed or leaked data.
Training is key in preventing employee error. Employees should be actively trained and observed on the networks and systems they use most. Most importantly, only employees who require secure data (personal information including social security number, credit card numbers, etc.) to complete their jobs should have access to it. Employees should receive ongoing training when systems are updated, processes are changed, or new threats arise.
Additionally, all staff should be trained to identify common cyberattacks such as social engineering—read about that here. Such training can include simple notices about known incidents that have happened or are likely, so your staff can protect themselves and the entire organization.
One of the most infamous cases of employee misuse took place in 2004, when a software engineer at AOL stole a subscriber list and sold it to a spammer for $52,000. According to court documentation, 92 million screen-names and email addresses were stolen, resulting in 7 billion spam emails. The employee was terminated and sentenced to 15 months in prison.
Unlike employee error, misuse is the intentional act of abuse or mishandling. The motivation for misuse is often financial gain or competitive espionage. In 2015, there were 10,489 total incidents of employee misuse of confidential data—including 55 confirmed instances where data was leaked or exposed to the public or third party.
Implementing an organization-wide culture of security can discourage individuals from abusing privileges or committing crimes. We recommend a clear security policy that states privacy rules, regulations, and processes that employees must follow. Additionally, it is important to lead by example and take policies seriously by actively promoting security through trainings and employee education. Staff should be motivated to protect your data and understand the repercussions of a breach or incident.
As an extra layer of protection, consider installing software that detects when data is downloaded, uploaded to a USB, or emailed externally. Detection software provides an early indicator of suspicious or abnormal activity and can thwart an incident or breach from occurring.
Theft or Loss
Theft or loss can happen to any employee or organization. This month (June 2016), the NFL reported a backpack was stolen from the car of a Washington team trainer, containing the medical records and health exam results of thousands of football players dating back to 2004.
Theft or loss most commonly occurs within the office or the personal vehicle of an employee. Loss is much more common than theft—occurring 100 times more frequently. In 2015, there were 9,701 total incidents of theft or loss—including 56 confirmed instances of leaked or exposed data.
Maintaining a secure office environment is critical in preventing theft or loss. You can restrict access to only employees and record / monitor guests, as many organizations in Metro DC already do. Areas of your office such as server rooms or record storage should be limited to authorized personnel only. Additionally, staff should keep devices out of eyesight when not in use and never leave a device unattended in public.
We recommend including guidelines for proper storage and handling of equipment in your employee handbook and security policy—but be sure to follow that up with training and regular review. We also recommend including instructions for how to protect data on personal devices or unsecure networks.
Employees are the key to data security
Your employees should be your greatest assets, not your weakest link in the security chain. Protecting employees from falling victim to their own mistakes is critical to your organization’s security. Preventive actions can include providing security-centric training, developing a clear security policy, and even integrating security into your company culture. But prevention doesn’t stop there, it is important to keep your ear to the ground and listen for any warning signs of malicious activity or privilege abuse.
Your employees should not be a security threat. Instead, employees should be the key to protecting your data and ensuring the success of your organization.
Looking for more information about information security? We’ve got you covered. Check out our eBook The Cybersecurity Watchlist for Association and Nonprofit Executives for more information on threats to your organization’s security and how you can prevent your data from being compromised.