How employees can ruin a perfect business continuity program
Business continuity is not just about natural disasters, system disruptions and cyberattacks, but also about human factor posing two main risks — human error and malicious activity.
Human factor should be dealt with and regarded as a crucial issue which can undermine your company’s business continuity program. Although to prevent your information from misuse a strong corporate culture is advised, it might not be enough. Keeping your employees happy doesn’t guarantee that your competitor wouldn’t make them happier, or that you never hire a “spy”.
The data can be exposed accidentally, and an employee wouldn’t even know how and why. Human error is unavoidable as soon as people make mistakes — for example, occasionally send a letter to a wrong email address — but its impact can be minimised.
A deliberate breach can occur as often as a neglected action. And there are several main reasons:
Sabotage
If employees are displeased with their job tasks and the communication with their colleagues, or rejected for a promotion/bonus, and lured by competitors or by the opportunity to sell the data on the dark web. The staffers who have just been dismissed can present a certain threat to an organisation if they communicate with their former colleagues or have an active account which allows them to intrude into a network.
Revenge
Resignation or dismissal can appear to be destructive — especially if a company doesn’t deny access to a system. An employee can act and have no concern about being identified and penalised.
There are employees who are simply dissatisfied with the way jobs are allocated or with a company’s position. Such violators present a bigger risk due to posing a deliberate threat with an elaborate scenario. Their purpose may not be just the remuneration coming from a competitor company, it can be a desire to revenge by placing a logic bomb or simply deleting some confidential information.
Financial gain
People can sell sensitive information if they need money. They can even rationalise their motives, and think that they are only intermediaries. Some of them are sure that the amount taken from a company isn’t that substantial. It makes an image of an offender much more human, turning a professional insider crime, which still seems to many organisations a rare case that doesn’t require major investments, into a common staffer with earthy problems.
Despite the fact that GDPR has entered into force just a bit more than a year ago, and has been demanding since then that a data breach should be reported within 72 hours after an incident happens, the statistics shows that the disclosure issues haven’t been solved and that the corporate activity is not getting more transparent.
71% of the C-level managers are willing to cover up data leaks whereas 61% of IT specialists claim they would hide the details of a data breach if no penalties would follow, according to the report prepared by nCipher Security.
Deep Secure organisation claims that nearly half of staff members would sell confidential data to some external addressees. In the announcement the company indicated that “£1,000 would be enough to tempt 25% of employees to give away company information.” Whereas 5% would reveal it for no money at all.
10% of respondents, who participated in making the What Is the Price of Loyalty Report, would be ready to sell product details and patents for £250 or even less. 19% of the surveyed graduate-level specialists acknowledge the fact of being approached with the suggestion of leaking information for remuneration.
What to do? A brief reminder.
Prevent “breaching out” to external sources
Track the communication and data transfer channels, including email, messengers, Skype, web forms and online chats, detect data relocated to cloud storages, flash drives, sent to printers, etc.
Detect unauthorised invasion
Systems which roles are important to the survival of a business or organisation, i.e. mission-critical systems, among which there are servers housing customer or employee data, e-mail systems, Web servers, active directory server, etc.
Elaborate your policies and monitoring
The ability to identify sources (websites, applications, software) employees use and what they use it for, what they search for, which words they enter in a search engine, is important in recognising staff members’ aims and purposes.
Assess the relevance of your instrument configurations
Considering subtleties and complexities of various regulators, the compliance with the recent rules and norms should be evaluated constantly as well as the conformity to the required level of protection from internal and external threats.
Monitor employees
Integration and development of an employee monitoring system will assist your HR specialist or risk manager with such processes as safe recruitment, job allocation and identification of abnormal behavior or staffers predisposed to fraud.
