Beware of insider threats
No matter how much companies safeguard their information system from external attacks, employees remain the biggest threat to data security. In 2018, a study by Verizon showed 28% of data security violations were insider jobs.
While most data breaches occur because of employee negligence, such as failing to keep usernames and passwords secure, there have been cases of rogue employees using their privileges to steal corporate or client information.
Last week, an employee of Desjardins, the largest association of credit unions in North America, was arrested for allegedly collecting the information of 2.9 million customers in Canada and handing them over to a third party. The employee has since been terminated for the “unauthorized and illegal use of internal data,” Desjardins said.
The stolen data reportedly included personal information, such as names, addresses, birth dates, and social insurance numbers, as well as the transaction histories of members.
The incident is by far one of the largest data breaches against a Canadian financial institution, yet it took only a single employee to compromise the data.
How to combat insider data theft
The first step to preventing insider threats is to limit the type of access employees and managers have to corporate and employee files.
This means creating a hierarchy among staff to determine who should have administrator login and, consequently, greater control over data storage and transfer.
To protect the most sensitive information, organizations should require multiple admins to sign off on data requests in order to regulate access. Without proper clearance and justification for the access, staff are prohibited from viewing or downloading any item from the company’s files.
Regulating access will also help managers monitor transactions more closely. Any staff member who gains permission to manage the files can easily be held accountable for any data loss or breach.
“A business should organize itself and structure itself so employees have access to the data they need, but no more,” data law expert Bradley Freedman told HRD.
“You shouldn’t have one big network where everyone can access everything. It should be all be segregated and locked down, with technological measures that do that.”
Most importantly, HR, IT and compliance teams should look into educating all employees about the proper management of files, as well as implementing rules, protocols and sanctions against those who are found to be compromising data.
“Organizations ought to have an incident response plan and a designated team – a trained and tested team and plan – so that they’re ready to respond immediately,” Freedman said.
