Are employers facing a data loss nightmare as employees take less care?

Opinion by Dan Raywood

There has been several recurring subjects this week in the field of security, but among rumours of another payment processor being breached and the launch of a revolutionary concept came the same old story - have you heard the latest about employee sabotage?

There has been several recurring subjects this week in the field of security, but among rumours of another payment processor being breached and the launch of a revolutionary concept came the same old story – have you heard the latest about employee sabotage?

Of course this was an area that I covered two weeks ago, and in that instance the focus was on how former employees were deliberately infiltrating their former companies to sabotage the servers or conduct some sort of malicious attack.

This week however, the focus has been more on the case of accidental incidents, where employees unwittingly put their companies at risk by their actions.

One survey, which caught the eye, was from Deloitte who revealed that 91 per cent of companies have experienced at least one information security breach in the last 12 months and that staff are breaching the basic security protocols and not following security policies.

In further research, NCC Group found that over one third of recipients were willing to open and play an online game without knowing its origin. A link to the game ‘Bish Bash Bush', which features Hilary Clinton and President Barack Obama kicking George W. Bush out of the White House, was anonymously distributed via email and social media websites.

This revealed that in addition to risking their own security, an alarming number of people forwarded the game and it is now being played in 19 different countries, including Bermuda, Chile and Azerbaijan.

NCC Group claimed that this reinforces its message that it is not enough to have firewalls in place as determined hackers and data thieves will always be able to find a way to steal data or disrupt your business, whilst staff are unaware of the risks they may be opening the company up to.

Rob Cotton, CEO of NCC Group, claimed that it was staggering to find that companies are investing heavily in protecting their data, when simple policies are still not being communicated and enforced internally.

He said: “We were astounded that staff in companies that hold significant volumes of financial information and personal details on customers, suppliers and shareholders still made the decision to click on this unsecured link.

“With regular stories hitting the headlines about government departments physically losing data, it is shocking that so many people are actually helping cyber-terrorists to by-pass firewalls and corporate security tools and leaving themselves and their companies wide open to potential disaster.”

However Gary Clark, vice president EMEA at SafeNet claimed that the figures released by Deloitte are alarming but are simply a signal that things could get worse.

Clark said: “In a recession, levels of crime – particularly cases of fraud and identity theft – rise. Over the next year we're likely to see more targeted attacks. Now is not the time for cutbacks in security spending – in fact businesses should be increasing their budgets rather than reducing them.

“All organisations have a responsibility to protect their data whether it's at rest, in transit, or in use. When customers come to enter their credit card details, they need 100 per cent confidence that their information will be protected. They should be able to trust that stringent practices and appropriate safeguards are in place to secure their financial data.”

Another survey by Symantec and the Ponemon Institute revealed that 79 per cent of respondents took data without an employer's permission, while 82 per cent of respondents said their employers did not perform an audit or review of paper or electronic documents before the respondent left his/her job.

Rob Greer, senior director of product management for data loss prevention solutions at Symantec, said: “Data loss during downsizing is preventable. We can prevent employees from emailing sensitive content to personal webmail accounts or downloading it onto USB drives. Companies need to implement data loss prevention technologies so they know exactly where sensitive data resides, how it is being used, and prevent it from being copied, downloaded or sent outside the company.”

Is this as simple as implementing procedures though? Can companies distribute a document to be signed by all staff that declares ‘I promise I will not steal any company data, either intentionally or inadvertently'? One answer is yes, this can be done, and it could well make a difference to these survey results, but on the other hand how many people will accidentally forget about the policy and create a data breach.

Earlier this week I was at the Check Point Experience at Disneyland Paris, and one of the features of its new software blades launch were blades that covered data loss and protected the virtual private network. This is a significant step forward, not just from the perspective of the technology, but from the fact that an appliance has been developed specifically to deal with data loss.

I am sure that others will follow in their steps, but for the moment it is up to companies to be stricter with employees while allowing a level of internet usage and freedom that suits their needs.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events