3 Steps to Reducing the Risk of Data Breaches Caused by Internal Weaknesses in Your Business

Every business should know the dangers of cyber attacks and weaknesses in data protection, and should take the necessary steps to ensure their data is secure, but cyber security and data loss incidents are not always caused by outside forces. Many come from within the organisation, and are a result of internal vulnerabilities that stem from weak security policies and practices, or negligence caused by basic human error. Here, we outline some simple steps you can take to ensure your sensitive data is protected from the type of incident that can disrupt business continuity and compromise your compliance with data protection regulations.

Leading Causes of Data Loss

It’s tempting for businesses affected by an internal cyber security incident or data breach to put it down to a rogue employee or malicious intent, but in fact the majority of cases are caused by human error or failures in the data security process. In its report for the last quarter of 2017, the Information Commissioner’s Office (ICO) found that four out of five leading causes of data loss they acted upon were due to this.

Those incidents included:

  • Loss or theft of paperwork (91 incidents)
  • Data posted or faxed to incorrect recipient (90 incidents)
  • Data sent by email to incorrect recipient (33 incidents)
  • Insecure web page, including hacking (21 incidents)
  • Loss or theft of unencrypted device (28 incidents)

A recent report by the Ponemon Institute that surveyed 3,000 employees and IT practitioners across the UK, France, the US and Germany came up with some startling statistics.

  • 76% of IT practitioners say their organisation experienced the loss or theft of company data over the past two years
  • 88% of end-users say their jobs require them to access and use information such as customer data, contact lists, employee records, financial reports, confidential business documents, or other sensitive information assets
  • 62% of end-users say they have access to company data they probably should not see
  • Only 29% of IT respondents report that their organisations enforce a strict model to ensure staff only have access to company data on a need-to-know basis
  • Only 25% of businesses surveyed monitor all employee and third-party email and file activity, while 38% don't monitor any activity
  • 35% of organisations have no searchable records of file system activity, leaving them unable to determine if files have been compromised by ransomware.

With GDPR on the horizon, this slack approach regarding the access to, processing and sharing of sensitive data, must be addressed by every organisation who wants to avoid the crippling fines this new legislation will bring for non-compliance with data protection.

Overcoming the Data Protection Challenge

It must, of course, be pointed out, that staff, while usually at the coalface of data processing, shouldn’t be singled out for blame (unless they prove to be one of those rogue team members with a grudge) when it comes to data loss or leaks. Organisations themselves also faces big challenges.

The way business is done today has led to dramatic changes in staff behaviour that can lead to a sense of apathy and unintentional carelessness when it comes to their employer’s business policies and practices. Combined with this is the overwhelming volume of data now being processed on a daily basis, and the use of mobile devices and remote working policies, all of which add up to make it more difficult to effectively uphold best practices and ensure staff follow the correct protocols when it comes to data protection and cyber security.

It is therefore imperative that the IT support team within every business takes proactive steps to not only inform everybody within the business regarding data protection and cyber security best practices, but to include them in creating and following those policies and procedures.

1 - Develop an organisation-wide cyber security policy

In order to know what actions are allowed when it comes to accessing, processing and sharing sensitive data, a policy must be put in place for staff to follow. The IT team should create and implement a set of guidelines that leave no doubt as to what should, and should not be done across the organisation’s IT infrastructure, network and files.

This should include:

  • An acceptable use policy – outlining how the company’s data assets and hardware and software assets can be used, how it can be stored (eg, on the cloud, or on USBs, etc), what data can be shared, and by what means (eg, email)
  • A privacy policy – outlining what staff can do with company data, where sensitive data is stored and why, and the safeguards in place to protect that data (eg, encryption or pseudonymisation)
  • Mobile or remote access policy – outlining how data should be accessed remotely, what safeguards are in place to keep this secure, and how mobile devices are secured

It is also important to outline the consequences of not following best practices and policies, so that staff are fully aware of what a violation or negligence will result in.

2 - Educate and train staff on data protection and cyber security

In order to know what actions or processes are allowed, each staff member needs to be informed of the policies mentioned above, so education and training is vital to ensure they understand their responsibilities and the limitations on authorised access and usage that may be in place.

Frontline staff may be the weak link when it comes to cyber security, but they can also be the first line of defence, so if they are knowledgeable about cyber security threats such as ransomware, know how to spot danger signs or detect unusual behaviour, and are given clear instructions on what to do in the event of a suspected cyber security incident, your IT support team will be better able to act on the threat quickly.

Awareness campaigns, regular email updates and formal training programs will all help staff get on board with the company’s cyber security and data protection policies, and can help to build a collaborative cyber security culture.

3 - Use IT to monitor actions

This doesn’t have to mean acting like Big Brother and watching everything your employees do, it is simply a matter of putting the IT tools and tech solutions you have at your disposal to work so that you can set rules for data access, and detect when these have been violated.

Software logs can record all employee activity within your company network, and regular monitoring and analysis of these can quickly identify the source of any data breaches or violations of best practices, eg, sensitive files sent to an employee’s personal email, files downloaded to an unauthorised USB, etc.

This will help to pinpoint how exactly a cyber security incident resulting in a data breach has occurred, where, and why, so that the IT team can get to work on resolving it efficiently, minimise any disruption caused, and put the data loss response plan into action effectively.

Data protection and cyber security is not just the responsibility of the IT team, it’s an organisation-wide endeavour that includes educating staff on best practices and implementing clear policies that can help the business to keep its data secure from threats, both external and internal. This can, however, take time, which many organisations can’t afford to spare as they focus on running the business, which is why it is a good idea to consider hiring an IT consulting service with expertise and experience in cyber security and GDPR compliance.

The team at Optimity can advise on the data protection and cyber security measures you need to put in place to comply with new legislation, and can help to implement the tech solutions you need to keep your business secure and ahead of the competition.

Find out how we can help your business by getting in touch, or by booking a security audit.