Cybersecurity and employee breaches
16 February 2016
Technological advances and growing connectivity have provided huge opportunities for companies, offering new ways of working and broadening their global reach. However, these developments have also brought new threats. Cyber attacks are becoming increasingly sophisticated, widespread and disruptive; they represent a level of risk that is difficult to control and mitigate. In light of these risks, 2016 is likely to see cybersecurity become one of the key items on companies’ agendas.
And believe it or not, those who have the greatest influence on the cybersecurity of a company are its own employees.
Cybersecurity – legal developments
Recent changes in the legal landscape have underlined the growing importance of cybersecurity and the need to establish higher security standards. The Network and Information Security Directive, agreed at the end of 2015, aims to ensure a high common level of security across the EU, introducing requirements for certain companies in key sectors to implement measures relating to the management of security risks and reporting of significant cyber incidents to national authorities. The new General Data Protection Regulation, meanwhile, heralds harsh new penalties for companies with data breaches, and fines of up to 4% of annual worldwide turnover for infringements.
The scariest thing about cyber attacks is not knowing what to expect, as their disguise changes almost on a daily basis. They can be crippling to businesses, potentially resulting in the theft of sensitive business information, reputational damage, and not least, the loss of the trust of employees and customers whose data has been compromised. The financial cost is eye-watering: the latest statistics from the Government’s 2015 Information Security Survey lists the average cost to a large organisation as between £1.46m and £3.14m.
The face of cybercrime
It is all too easy to imagine that the offenders are a group of invisible, highly intelligent, young hackers who spend their days and nights in digital dungeons. The Government’s research tells a different story. Although the origin of 23% of security breaches was from organised crime, with a further 5% attributed to non-professional hackers, the largest group responsible for breaches, at 36%, was employees/contractors. The telling statistic is that only 10% of these breaches were intentional, with 26% accidental. This is good news for employers because there is scope to do something about it and thereby minimise exposure.
Staying Cyber Safe
Preventing highly sophisticated attacks will always be a challenge for companies, but there are things that can be done to mitigate the risks of inadvertent breaches by employees. Below is a list of practical steps to stay cyber safe in relation to your employees.
Education: as most breaches by employees are unintentional, education must be the first line of attack. There are some great training materials on the market which bring cybersecurity to life and emphasise that employees share the responsibility for staying safe.
Pre-employment vetting: data protection rules allow vetting where there are particular and significant risks, and where there are no less intrusive alternatives. For organisations with highly sensitive data or where the breach might cause significant harm to customers/users/employees, deeper checks might be required but in any event all checks will need to be done in a proportionate and non-discriminatory manner.
Contractual protection: to address lack of awareness, ensure employees are made aware that there are rules in their contracts, handbooks and policies on IT Security, confidential information and IP, with disciplinary sanctions for non-compliance. From time to time, notify or remind employees that monitoring will take place to ensure compliance with these rules.
Mobile working: review the firm’s mobile working policy and encourage safe practices such as the use of strong passwords, restricting the use of removable media (such as USB drives) and avoiding use of personal mailboxes for company business.
BYOD: this is a particular threat as mobile technology is the perfect vehicle for importing malware or exporting, for example, valuable proprietary information. The Government’s statistics reflect this: 15% of large organisations had a security breach in the last year involving smartphones or tablets, and 3% of the worst breaches were due to portable media bypassing defences.
While the evolving and unpredictable nature of cybercrime means that companies can never fully eradicate the possibility of a security breach, basic practical measures such as these, combined with effective security technologies and appropriate response procedures, can considerably reduce risk.