For obvious reasons I am following the issue of Wirecard and the “disappearance” of about $ 2.1 billion allegedly in the Philippines, after employees of two leading banks created fake documents, with great interest.
Two questions are coming up immediately: 1. Why did the German company select the Philippines as fake recipient of the money, and 2. Who orchestrated the involvement of the two employees in the two selected Philippine banks? But those two issues are not what I am writing about. My concern is the security threat created by employees.
Plenty of companies aren’t taking basic steps to improve their readiness in data protection, leaving them exposed to breaches that can threaten their existence.
Those looking to steal organization’s data may be proxies for hostile foreign governments, career cybercriminals, or enraged activists. But they are just as likely to be members of an organization’s own staff.
It is obvious that not all organizations are well-prepared to counter insider threat.
Traditionally, pre-employment screening has been the main way organizations guard against insider attacks, particularly for jobs requiring a security clearance. Checking references from previous employers may highlight concerns about an individual’s reliability, or temperament, conducting criminal-record checks may show an individual is unsuited to working with sensitive data, and credit-checks may show financial vulnerability.
However, screening is a point-in-time assessment, and once someone joins a company, he or she is rarely if ever checked again. Data from a 2013 UK government study found that 76 percent of inside attackers had not joined the company with the intention of stealing data or sabotaging operations.
The decision to act maliciously came as a result of changes in the employee’s financial situation, changes in ideology, because of the desire for recognition, due to a negative work experience, or drug or alcohol dependency, or poor management. Only 6 percent of the 120 cases in the study came as a result of deliberate infiltration, while the remainder were coerced by third parties to engage in an attack.
Technology is not a silver bullet, but it certainly is a bolster in a company’s defenses against insider attack. Artificial intelligence and behavioral analytics can identify user actions that diverge from the norm, such as employees accessing the corporate network outside of normal hours, or trying to view restricted data.
Effective management is key to early detection of disgruntled employees, as is ensuring employees only have permission to access the data they need to perform their role.
Looking at this scenario, it is essential that companies take the role of the Data Protection Officer seriously and provide the DPO with the tools that are required (and available) to control what’s going on in all departments and subsidiaries of the organization, with special emphasis on employees in operations.
Why? Data breaches mostly happen on the operational level, maliciously, or by mistake. It is essential that companies are looking at five simple steps:
Create a governance structure—Appoint a DPO (as the Philippine Data Privacy Act provides) and create a governance structure to collaborate on the Privacy Program.
Identify risks—Identify inventory risks, process risks, compliance risks and project/product risks which, if not controlled, may result in privacy breaches or incidents.
Manage programs—Communicate policies, ensure the implementation of controls and achieve accountability by staff and management.
Sustain compliance initiatives—Train and test staff and conduct audits on an ongoing basis to sustain initiatives.
Respond to data subject requests and incidents—Document and manage incidents and breaches, and data subject requests.
Is there software to achieve operational compliance with data protection, implement data protection and demonstrate accountability to regulators? Yes, there is (you can ask me for assistance).
In conclusion, finding a balance between trusting employees and verifying they are performing within the bounds of information-security policies is a key part of any cyber-risk management program. Getting it wrong can have devastating business consequences. If you need assistance, let me know—you can contact me at Schumacher@eitsc.com