With data breaches becoming almost daily headline news, businesses are spending both time and money on ensuring that people who shouldn’t be accessing their data can’t. However what about the situation where an employee of the company, who should / needs to access the data, decided that they are going to steal this data to sell on for profit or malicious intent?
In most cases when a data breach can be pinned down to an employee, their intensions were not malicious; they were simply unaware that what they were doing, or the way in which they were doing it left the company in a venerable state. However the number of cases where the employee did know exactly what they were doing is on the increase, with 19% of incidents believed to be intentional according to a recent survey carried out by RSA. 52% of incidents are believed to be accidental, but RSA’s Chris Young says “Unintentional risk gets overlooked, yet it’s the most serious threat to business”.
The current staff are the least of company’s worries, with disgruntled former employees posing a far bigger security threat. A shocking 53% of ex-employees have admitted to stealing company data with the intent of causing harm to the company. These threats can cause the business loss of revenue, reduce their competitive advantage and result in bad P.R. to the organisation which is often extremely difficult for them to recover from.
Are there ways to prevent both accidental and intentional data breaches?
Accidental, most definitely, increasing the user knowledge and understanding of data security can help to prevent these issues. I.T. training and increased I.T. understanding can also help employees to realise why data breaches are so threatening to the company.
Intentional data breaches are a little bit harder to prevent, especially if the employee needs to access the data in order to do their job. Steps can be taken to increase permission controls across the company’s network, to ensure that data can only be accessed by the people that should be viewing it.
The issue of insider risk is one that is not going to go away easily, the closer to the I.T. department the threat is, the more damage can be caused. A lot of trust is placed in an I.T. department and questions have been asked that with no accreditation body controlling the I.T. sector such as in engineering , accountancy or healthcare, can or should companies afford to put so much faith in one department?