The "threat of insiders" is often overlooked in companies but it can be as harmful to employers as a hacker or fraudster, and the risk is even greater during a pandemic. The actions of employees may not be at all intentional but can still cause great damage - for example, clicking on a fraudulent link on a computer.
Employees cannot be monitored so closely at home, which increases the risk. In addition, information security teams may have to focus on other challenges (e.g. their own transition of employees to home office and solving IT problems that arise from the nature of their work); thus they cannot devote so much time to monitoring activities.
There is also a growing number of opportunistic hackers who often take advantage of times of crisis and generally increased anxiety of the population. For example, since the beginning of the year, Google has seen a 350% increase in phishing attacks.
At the same time, employees may feel more separated from the team and the company: they lack job security, especially if the company is dealing with cuts; there is also the risk of redundancies and a lack of adequate communication. This can increase the "intentional threat" in which employees may have a greater incentive to harm employers.
How can employers protect themselves?
Principles for working with data
There is a need to establish clear policies setting out how data is to be stored, who has access to it and how to report breaches.
Training
Provide all employees with mandatory training on phishing scams, how to report suspicious activity, and how to keep data safe. More thorough training should be provided to data processors.
Communication
Maintaining employees' awareness of risks and providing important information about data security is as important as communication aimed at maintaining involvement and morale. Keeping in regular contact may help employees feel they are being supported and increase the likelihood of their reporting any suspicious activity.
Restrictions on employees' access to data
The number of employees with access to confidential data should be limited. It is necessary to have a record of who has access to what data and to state clearly in the employment contract how this data should be used so that any breach can be clearly identified. All employees who have left the company or been laid off should have their access removed and their login/e-mail accounts terminated so as to reduce the risk of a disgruntled former employee committing a data breach.
Responsible employees
Employers should have a designated team to address these risks and should be the first point of contact for reporting suspicious activity or violations.
Action plan
Although preventive action is best, it is also important to have a breach response plan in place so that the consequences of any data breach can be mitigated as quickly as possible.
Security precautions
These include proper antivirus software, use of a secure network, plus the implementation of automated logging of computer systems and platforms to identify those who have access to the data. USB ports should be locked so that data cannot be transferred via USB.
Clean table policy
This is especially true for home workplaces, where employees possibly share their workspace with flatmates and logically may not have materials and equipment as well secured as in the office. Employees should also be told how to handle confidential information securely, as it is unlikely that they will have access to confidential paper shredding equipment at home.
Regular review
It is important risk and data management be an ongoing commitment. Training and communication should be regular, and policies frequently reviewed to ensure they are up-to-date and adhered to by employees.
-bb-