The General Data Protection Regulations (GDPR) mean the costs of a data breach are greater than ever. Most businesses are concerned with external threats like hackers or malware. But, while heads are turned, data breaches could be taking place within your organisation.
We take a look at the different types of internal data abuse, the risks each poses to your organisation and the simple solutions you can apply to overcome them.
An Increasing Problem
The latest government report into information security breaches reveals some startling statistics taken from 2014:
- 90% of large organisations and 74% of small organisations had a security breach representing a year-on-year increase of 81% and 60% respectively.
- 75% of large organisations and 31% of small businesses suffered staff-related security breaches up 58% and 22% respectively from 2013.
- 50% of the worst data breaches were caused by human error, up 31% year-on-year
Despite these alarming statistics, firms both large and small are taking action to prevent internal abuses. With 44% of companies increasing their spend on cyber security they’re well on the way to protecting themselves.
But that’s only part of the picture. The other half of the battle is understanding the causes of internal breaches so you can take all the relevant steps to prevent them.
True Digital Security
In the past, data was accessed by company-owned desktop computers and hosted on servers presenting a physical boundary for cyber security to protect.
Today, as more information is held online, people can access business information on mobile devices including personal phones or tablets. While this makes it easy to access documents, emails and other information on-the-go, it means cyber security needs to extend to protect a constantly moving perimeter.
The GDPR means you have a responsibility to protect the personal data of your clients no matter where it’s accessed from.
This means ensuring your employees use trustworthy cloud platforms that are protected by best-in-class security. In fact, many cloud service providers have adapted their technology to ensure it’s GDPR compliant taking much of the pain away for you.
Working with your IT provider to ensure suitable cyber security protocols are in place will prevent data from being accessed or saved to unsecured personal devices. Another great way to ensure you don’t fall foul of new data protection laws.
Identify the Suspects
Breaches occur for a range of reasons and each of the following abuses would mean your business is in contravention of the GDPR.
- Angry Ex-Employees – fail to shut down access to your IT systems as soon as an employee leaves and you’re placing the personal data of your customers and employees at risk of a revenge download.
- Accidental Abuse and Human Error – despite having a stringent data protection policy in place, it’s still all too easy for your staff to send an email from their own device. Sending data via an unsecured account could mean someone gets hold of the data who shouldn’t have.
Even the best and brightest aren’t exempt from this kind of mistake – just look at Hillary Clinton.
- Malicious Intent – in its 2016 Data Breach Investigations Report, Verizon found 66% of breaches were caused by someone using their IT access credentials to obtain information for uses outside of their job. This could mean obtaining bank or personal details to carry out fraud, sharing personal information like an address or other details with people outside the organisation.
- User Credential Theft – this kind of breach looks like an insider job but is really an external security threat. Employee login details are often scammed by outsiders using phishing emails to gather the information they need to access systems.
Once they’re in they can cause significant amounts of damage – either stealing data or installing spyware to gather information over a period of time – before the alarm is raised.
Protect Your Business with a Cyber Security Solution
As with any kind of cyber security solution there are multiple aspects that need to be taken into consideration to ensure a tight perimeter.
Know Your Data
Firstly, knowing where your data is stored and how it flows through and out of your organisation will help you identify weak points and risks.
Discuss with your colleagues which social media platforms they use to share information and data. While Whatsapp or Facebook Messenger might be on-hand, it doesn’t mean they’re safe places to share information. Encouraging your team to be open and honest about how they share data is key to mapping out your data flows so you can put the right plans in place to ensure your cyber security.
Technology is Your First Line of Defence
Many firms are introducing newer communications tools like Office 365, Yammer and Microsoft Teams. These online platforms are provided by Microsoft and come with GDPR compliant cyber security measures.
The main benefit of these tools is that they make it very easy for employees to share documents and data in a secure environment. They also provide safe methods for communication so employees can collaborate, share and work on a single document contained within a secure online cloud.
Another option is to talk to your local IT firm about encrypting internal and external mobile devices. This is an investment well worth making as it will protect against loss or theft, which is one of the major issues that’s on the rise due to the increasing use of mobile devices.
People Are a Threat
What can you do to counteract human error? Education is a good place to start.
Having mapped out your data flows you’ll know your risks and opportunities for improvement so you can start the education process. Explaining how certain activities place the business and customer’s data at risk can be a surprising eye-opener for many employees who might not think they’re doing anything wrong.
CEO of San-iT, Barry Lowe, says:
“Encourage staff to use protected online spaces, like Sharepoint, to collaborate on documents instead of sending them via email which is less secure. And educate employees about the risks of reaching for their personal, insecure devices. Any tech that doesn’t have company security policies, anti-virus or mobile device management places data – and the business – at risk.”
Internal data abuse is the trojan horse of data breaches. There’s plenty you can do to avoid the hefty fines associated with the GDPR. Investing in technology that does a lot of the hard work for you is a simple step in the right direction. Complemented with full visibility of your data flows and staff security training, you’ll be GDPR compliant in no time.
To find out more about protecting your business in line with GDPR regulations, read our recent blogs.