Every week seems to bring a new round of data breaches and cybersecurity threats to employers, and lately much attention has been focused on the internal threats posed by employees. Even though these internal threats have become a red-hot topic, several cybersecurity experts agreed that the issue is nothing new and that it’s just heightened awareness that has brought the problem to the forefront.
“The bad apple employee has always been a threat to employers, even before the advent of the digital age,” said Andrew McDevitt, global privacy consultant and strategist at TRUSTe, a San Francisco-based data privacy management company. “What has increased in recent years is the amount of data and information available that can be pilfered. But when you’re talking about the threat of fraud or misuse of data by employees, it is really nothing new. I think it all sounds new because more people are taking notice and becoming more aware of the problem.”
The Verizon 2014 Data Breach Investigations Report appears to support McDevitt’s claim. The report found that internal misuse accounted for 8 percent of corporate data breaches during 2013, and 13 percent from 2004-2012. An Associated Press analysis of data breaches and computer security problems in the U.S. government found that since 2010, federal employees and contractors were responsible for more than half of all cyber-related security incidents.
The reports found that the vast majority of these incidents were unintentional, as employees unwittingly loaded malicious software onto their computers by opening virus-laden e-mails, or by clicking onto links or visiting websites infected with computer viruses or spyware.
Still, the high-profile case of Edward Snowden, the government contractor who downloaded highly sensitive information from the National Security Agency (NSA), grabbed the attention of employers and made them realize just how vulnerable their own sensitive and proprietary data was, according to Stu Sjouwerman, CEO of KnowBe4, a cybersecurity consulting firm in Tampa, Fla.
“Business leaders really sat up and took notice because if that can happen to the NSA, which is one of the most security-conscious agencies in the world, then it can certainly happen to any organization,” Sjouwerman said.
Tip of the Iceberg?
While the number of reported insider misuse cases is disturbing, the number of unreported cases is most likely much higher. The statistics cited in recent reports reflect only reported cybersecurity incidents.
Often, federal or state laws will require employers to report data breaches. But when a notification of a breach is not mandated, then it can be in an employer’s best interest to keep quiet and not expose system vulnerabilities—especially if the breach doesn’t involve sensitive customer or employee data, said several sources familiar with the issue. Therefore, the statistics on cybersecurity incidents most likely underreport the extent of the problem.
Whenever a breach occurs, however, businesses are obligated to inform individuals or organizations that their information has been compromised.
The publicity surrounding recent cybersecurity lapses and data breaches has grabbed the attention of employers around the globe. And as awareness about these threats grows, employers’ emphasis on protecting their information systems has intensified.
“Employer interest definitely has increased in the past year, which is a good thing because, frankly, cybersecurity among private-sector employers has been and still is fairly lax,” Sjouwerman said. “There’s a lot of catching up to do, and frankly it’s much harder to protect yourself from inside threats, but not totally impossible.”
Sjouwerman and McDevitt agreed that employers must concentrate on building a security culture within their organizations. Businesses will achieve effective and efficient security cultures only if executives at the highest levels of the organization fully support the effort.
“It must come from the top down and not be some lip service of executives saying one thing but then not following corporate policies,” Sjouwerman said. “By not following policy, they will demonstrate that they are not fully committed to ensuring the security of the company’s data and information systems.”
A Critical Role for HR
In addition to the support of top-level managers, human resource professionals have a critical role to play in ensuring the digital security of their organizations, according to Sjouwerman and McDevitt. First and foremost, HR departments must practice what they preach when it comes to cybersecurity and must be diligent to ensure that the organization’s HR-related data is secure.
The employee records that HR departments must keep on file typically include critical personal information. If workers feel that their personal data is at risk because of lax management and record-keeping practices, then they will possibly feel threatened.
“There’s no perfect environment for cybersecurity, but if you’re not displaying that you’re doing everything possible to protect employees’ personal data, then your employees won’t feel secure,” McDevitt said. “If you’re not doing all you can, and end up having a data breach, then you will have unhappy employees, which most likely will lead to unhappy customers. And then your brand will be tarnished.”
McDevitt and Sjouwerman recommended that HR departments conduct periodic audits of data usage to keep a close eye on who is accessing employee data and how they are using that information. In addition, Sjouwerman advocated a redundant system in which two auditors monitor all corporate data access and usage.
“If you assign the job to two different people, then it can significantly reduce the risk of insider abuse, because you now have two watchdogs on the job,” Sjouwerman said.
McDevitt agreed that monitoring data usage is a good policy; however, he said that a trusted third-party vendor or independent auditing group can do the job just as well if not better than internal staff. McDevitt and Sjouwerman recommended looking for auditors who have been certified in their field, such as Certified Information Systems Security Professionals.
“Definitely research the companies and consultants offering these kinds of services, and talk to colleagues and other business leaders in your area and industry to see whom they have worked with,” McDevitt said.
Getting the Message Across
Although most employers now have computer and data-usage policies in place, any corporate policy is basically useless unless employees fully understand the policy and the consequences of not following it. Therefore, HR’s other critical roles in building a strong organizational security culture are to develop policies and then educate employees about the importance of adhering to these policies.
“It is key for HR to have a conversation with the IT department and decide on the best practices for security and privacy protections,” McDevitt said. “But you can’t just stop there, you have to build on those best practices. It is a journey to reach the optimal level of cybersecurity, and it should always be an ongoing effort.”
Once corporate policies and best practices are set, then HR must make sure that employees get the message that the policy is vital to the safety and security of the organization. Luckily, employees who would willfully violate a policy and intentionally steal corporate data are rare. Most insider threats are unintentional and result from employee mistakes or carelessness.
Some cybersecurity experts now use the term “digital hygiene” and emphasize the importance of using strong passwords that include a variety of letters, numbers and symbols. Digital hygiene also includes best practices such as not sharing system logins with co-workers, avoiding suspect e-mails and websites, and staying clear of unsecured Wi-Fi networks.
The Biggest Insider Threat?
Possibly the biggest internal cybersecurity threat may be employees who bring their personal smartphones to the office, according to Eric Schwartzman, CEO and founder of Comply Socially, a Santa Monica, Calif.-based consulting group that specializes in social media and security awareness training.
“Smartphones really are a wildcard right now because it’s very easy for malicious software to be loaded onto phones from downloading apps or receiving virus-laden photos and videos through e-mails or text messages,” Schwartzman said.
Schwartzman laid out a scenario in which an employee’s phone is infected with malware, and then he or she plugs the device into a USB port on an office computer or signs onto the company’s Wi-Fi system.
“Once that happens, then the malware will be behind the corporate firewall and free to infiltrate the organization’s computer system,” he said. “So it’s really vital that HR implement a strategy that targets employee behavior and educates them about this growing threat.”
He acknowledged, however, that getting employees to change their ways and improve their digital hygiene practices can be a tough assignment.
“It’s very hard to get people to break habits and take extra precautions when there might not be any perceived benefits,” said Schwartzman. “The key is to put it on a personal level and show them that the risk is very real, and threatens not only the company’s security but their very own privacy.”
Too often, businesses make the mistake of concentrating on risks to the safety and security of the organization and not the individual employees, he added.
“The message should be that this is a shared risk and that by working together, the business and its employees can prevent or possibly even eliminate data breaches and help stop identity theft,” Schwartzman said.
Bill Leonard is a senior writer for SHRM.
To read more HR news, please click here.