How to Prevent Data Breaches by Employees and
Reduce the Financial Impact If They Occur
Amidst all the panic over malware and trojans many businesses still fail to protect themselves from an equally dangerous threat… data breaches from their employees.
As per NBC News the financial damage caused by a data breach has spiked by more than six percent since last year (2017), and now costs companies an average of $3.86 million each. A mega breach involving 1 million compromised records, could cost as much as $39.49 million.
“In all industries employee breaches pose a greater risk than even external breaches. Unchecked data access can cause loss of control over confidential information and may even allow for fraud.” says Nathan Zych, Founder of Outsource IT.
The above statement was especially evident in the incident at Pzifer, where a former global marketing executive downloaded 600 files and emails just before she resigned. These files and emails contained trade secrets, marketing plans, marketing budget data, market research, and sales information.
So how can businesses protect themselves from this threat?
“IT processes can be put in place to control access to critical information so that if an incident is suspected, an audit of the environment will be triggered. Additionally, every company should have clear onboarding and off-boarding policies to ensure that all access is revoked from terminated users.” says Zych.
For employees who are permitted to use portable media such as USB devices, or employees who are allowed to connect their smartphones to computers, this can be very tricky. These devices can potentially allow an employee to bypass company information control policies.
Many companies require these employees to sign confidentiality agreements to protect themselves against this situation. However, without a proper system in place to monitor employee activities and react in a timely manner, gathering evidence is difficult.
Fortunately for Pzifer, the employee left an obvious digital footprint which allowed them to gather evidence of her activities, and swiftly take legal action.
SecurityIntelligence reports that companies are more likely to experience a data breach of at least 10,000 records (27.9% chance) than their employees are to catch the flu this winter (5-20% chance according to WebMD). This is from the 2018 Cost Of A Data Breach study which reported the average total cost of a breach is between $2.2 million to $6.9 million.
“The good news is that when such breaches occur, the faster the reaction time, the better the chances of reducing the financial impact. Thorough preparation and a vigilant incident response team is key.” says Zych.
The above statement correlates with the recent SecurityIntelligence study of 477 companies. This study found that the average cost of a data breach per compromised record was $148, because it took organizations in this study 196 days, on average, to detect a breach, and 69 days to contain the breach.
The study also found that by reacting more quickly to incidents, the cost per compromised record could be reduced by $14, and by $13 if strong encryption was put in place.
Aside from having a fast incident response team, here are 5 additional tips from Nathan Zych to help prevent and reduce the financial impact of a data breach:
- Control Portable Media Devices
Companies who provide their employees with portable media devices such as USB drives, and even smartphones which can be connected to computers, should always use data encryption. In addition, devices should be company issued and controlled to prevent information leakage or unauthorized information removal.
- Restrict Access to Confidential Business Information
Confidential business information should be stored in a secure environment with restricted access. Only employees who need this information should be provided with access, and those employees should undergo thorough background checks before they are given access.
- Encrypt All Data
All data should be encrypted including emails. This must include encryption of information ‘in motion’, information ‘at rest’, whole disk encryption, and of course encryption of all media devices and smartphones.
- Implement Strict Policies and Procedures
Strict company policies should put in place to govern the handling of confidential company data. This should also include clear onboarding and off-boarding procedures to ensure that all access is revoked from employees who resign or are terminated.
- Educate Employees
Employees need to be properly educated on company policies regarding the use of the company’s email system and the handling of confidential information. Highlighting the consequences of violating these policies can also help increase compliance.
Tensions are high as companies grapple with malware, and the emerging data security threat. At the center of this stands employees who are typically the weak link in the chain. Considering that half of data breaches are caused by employees and the time it takes to identify a breach is critical to reducing the financial impact, it’s important that companies implement a system to monitor their employees and react to breaches right away.
As Nathan Zych says, “Thorough preparation and a vigilant incident response team is the key.”