Usually when we think of data breaches, we think of the announcements by a retailer or major health insurance company that they’ve lost a bunch of super important and critical customer data. These announcements grip the news media cycle for a few weeks, bringing with them public outrage, lawsuits, the offers of free credit monitoring, and calls for better data protection systems and even legislation. And then, sooner or later, we mostly just let it go.
While these types of data breaches are certainly important – and life changing for those negatively impacted – accidental insider data breaches, while certainly smaller in scale, can prove just as catastrophic.
So let’s start at the beginning. What do we mean when we say an “accidental insider” breach? Essentially, these breaches refer to a well-intentioned employee accidentally being coerced or tricked by a competitor or other ill-intentioned outsider into providing data – such as passwords or other proprietary information – or unintentionally installing malware that can either automatically provide the data or otherwise harm or disable business operations. The difference here – and it is a big one – is that this is done with no malice on the part of the employee, with them therefore having no idea they are doing it and with no expectation that they will monetarily or otherwise benefit from the activity.
Ok, so now that we’ve cleared up what it is, let’s discuss how common place it is. According to a study by Accenture and HFS research, two-thirds of respondents “reported experiencing data theft or corruption from within their organization,” and a second study by the Ponemon institute reveals that a similar number of end users reported that they can view company data that they probably shouldn’t be able to access.
The good news is that there are a series of simple steps that you can take to protect both your company and your employees from these inadvertent data breaches and it all starts with knowing where these types of issues are most likely to arise. Below, Eric Cole, an industry-recognized security expert who served as Commissioner on Cybersecurity for President Barack Obama, and as a Senior Vice President at McAfee, outlines three of the most common ways that these small-scale data breaches occur.
Phishing via email:
Email is a wonderful way to connect employees and those that they wish to connect with, but the server path through which these emails travel is ripe for data breaches. Part of the problem lies in the fact that we are so super responsive to emails – it crops up in our inbox and we simply go ahead and take steps to answer the email and knock it off our to-do list. A second strike against the system is that most companies don’t have sensitive enough mechanisms to filter out spam. Sure, we usually don’t see all those requests from the Nigerian princes or the ads for the next greatest weight loss pill, but there’s no denying that a lot of junk still slips by. Finally, hackers have gotten increasingly savvy and take steps to make sure that their emails look legitimate – they create spoof addresses that can easily trick the eye
So how can you quickly and easily tell whether an email is legit? Since things are so high tech these days, rather than look for signs of forgery, instead be suspicious if you ever receive a request via email for a username, password, personal information or any other data that could be considered confidential or proprietary to your employees or the company at large. Should you receive such an email, either call the person via phone to verify their request or pass the suspicious email along to your IT team or a manager for further review.
Viral attachments and links:
Sometimes you get an email that doesn’t outright ask for personal information, but instead encourages you to click a link or open an attachment in order to address an issue. The trouble is these links/attachments can contain viruses that can include what’s known as a Trojan, a hidden bit of code that can mine your company’s system for data or otherwise wreak havoc on your computer or company system.
Of course, most companies have firewalls and other malware systems designed to identify suspicious emails and prevent them from winding up in your inbox. However, there is a step that you can take to head off these issues and that is to only use your work email for work-related correspondence. For example, if you sign up to receive emails from a clothing company, opt to have these emails sent to your personal email so that if you received an email masquerading as this clothing company at work, you would know it was suspicious because you never handed out this address.
Personal device infiltration:
Sure, we’ve all grumbled when our employer has handed us a clunky old blackberry – or even worse, what appears to be the world’s first laptop – and told us that we can only use this one for work. Now we have to not only carry two (three? four?) devices at all times, but we also have to remember to CHECK all of them. Oh the horror! But turns out, this is all for good reason.
While some companies allow employees to Bring Your Own Device (BYOD), these devices are ripe for compromise for not only that machine, but the entire organizational system. Now, your company can protect itself by requiring you to use a Very Private Network (VPN) whenever you are using that personal device for work-related tasks, or provide antivirus and malware protection services that can increase security. However, many companies find this much trickier than simply issuing you a device of their own that allows them to list you as a user and themselves as an administrator. In doing so, your company can install software to block you from installing any unauthorized applications and thus protect proprietary company data.
Abel HR, with human resources services for small businesses, can help your company set up best practices for personal devices and email policies to avoid compromising data. Call one of our HR solution experts at 609.860.0400 to start securing your company data and ensuring HR compliance.