Thousands of companies have experienced data breaches that damaged their reputation and cost them millions of dollars to settle class action lawsuits by customers and shareholders. Aware of the risks a data breach poses, companies are dedicating large percentages of their budgets towards cyber security. However, statistics reveal that most firms still underplay the threat posed by an internal data breach.
Ponemon Institute conducted a survey to determine the challenges that these businesses face in securing critical data. The researchers surveyed over a thousand IT professionals and end users from different firms in Germany, France, the US and the UK. Below are some of their findings:
- 71% of end users said they often had access to data they shouldn’t see
- 80% of IT personals believed their firms didn’t have a data model that enforces strict data access privileges
- 47% believed the end users in their firms were observing the appropriate measures to protect the data they had access to
- 22% of employees believed that protecting data was among their firm's top priorities
"This research surfaces an important factor that is often overlooked. Employees commonly have too much access to data, far beyond what is needed to do their assigned tasks. When that access is not tracked or audited, an attack that gains access to employee accounts will have devastating consequences." - Dr. Larry Ponemon, Director of Ponemon Institute.
The startling statistics are further reinforced by a separate survey conducted by CyberArk where they spoke to more than 1000 office workers in the UK. Of those surveyed, about half revealed they once had access to critical financial information. Roughly the same number indicated they had access to critical HR data, such as the bank accounts of other employees. CyberArk describes the findings as alarming and unacceptable.
Exposing your company to a data breach
Many risks are possible when employees have too much access to critical data. Once they obtain the data, it’s possible for that information to be leaked to other parties, such as competitors or the public. This risk only increases when employees are able to transfer data from the company's computers to a personal device, a trend that seems to be growing.
It seems as though many firms are choosing convenience over security. For example, the Ponemon Institute survey also found 76% of end users claimed it was acceptable to transfer company files to their personal devices. Additionally, more than 50% of the respondents preferred to share these files via email. What’s more disturbing is nearly half of IT professionals interviewed indicated that their companies had no way of knowing when these files were being transferred or changed.
Even if a company has strict data handling procedures, but doesn’t focus on employee access, they’re still at great risk. Once the data is delivered to an employee's personal device or email, the company no longer has control over what is done with it. Another study by Varonis reveals about 34% of active user accounts are of former employees who still have access to company information. Furthermore, about 46% of those surveyed had user accounts with passwords that never expire.
Consequences of a data breach
Governments and other regulatory bodies are stepping up efforts to ensure firms that show negligence in data security are severely punished. For example, through GDPR, the European Union has introduced fines of up to €20 million for negligence in data handling and processing. However of all these consequences, the damage to the company's reputation remains the most severe
Many firms that have suffered from data breaches in the past have witnessed a significant reduction in value after news of the breach reached the public. For instance, once the 2013 Yahoo data breach was revealed, Verizon reduced the amount it was willing to offer for Yahoo by $350 million. When customers trust you with their personal data, they expect you to protect it. Breaking this trust is a sure way to lose business to your competitors.
If you find yourself in the midst of a data breach, expect the possibility of multiple class action lawsuits against you. In today’s world, lawyers stayed prepared and equipped to help victims of a data breach. Within days of the news breaking, they will reach out to the victims and inform them of all they might be entitled to. Referring back to the example above, Yahoo agreed to pay around $50 million to compensate victims of their data breaches after several class action lawsuits were placed against them. Although, it’s not just the customers that can take action, shareholders can also file a class action lawsuit against the appropriate personnel of the company. In May 2018, Yahoo once again agreed to pay $80 million to settle a class action lawsuit filed by its shareholders for another data breach.
Preventing internal data breaches
Companies need to ensure that internal data security is a priority. Most importantly, the company's data model should be a privilege-based system, where employees only have access to the data they need. From large corporations to your local mom and pop coffee shop, data should remain protected. Hiring an extra level of protection is well worth the money. Companies like One Identity offer constant insight and identity governance to ensure your company and customer information is never in the wrong hands. Healthcare facilities and other organizations are adequately trained in protecting private information through policies like HIPAA.
There is no reason additional policies shouldn’t be created for IT personnel. Especially since most of the time these employees are privy to information that many others don’t need access to. Keep information secure by enforcing the ‘behind two locked doors’ method. Although this method is ordinarily designed for hands on material, it can be applied to digital through similar practices. Once the information is designated to the appropriate employee, have that employee keep the data in two various locked systems. This will ensure employees have back up data as well as adding an additional firewall to hackers and dishonest employees.