The working at home environment coupled with lockdown has exposed companies to additional risks of fraud and the unintentional leak of confidential information. So what can they do about it, asks David Lorrimer.
The Morrisons Supreme Court decision allowed employers to breathe a sigh of relief as the retailer was held not to be vicariously liable for the actions of a rogue employee.
However, in the same breath, the Supreme Court suggested that employers could be held vicariously liable for data breaches by their employees, thus giving rise to an “insider threat”. This article looks at what the insider threat is, and the practical steps employers can take to protect themselves.
What does the insider threat look like?
The insider threat is often overlooked, but can be as harmful to an employer as a more traditional hacker or fraudster. It can be both intentional (in the form of a disgruntled employee as in Morrisons), or accidental (employees who unintentionally cause damage; for example, by clicking on a link to a phishing scam). The insider threat has been further increased in the current Covid-19 pandemic, for several reasons:
The working from home environment Staff cannot be monitored as closely whilst at home, making the risk of an accidental threat greater. Information security teams may also be focusing on other challenges, so cannot dedicate as much time on monitoring activity (e.g. transitioning staff members to homeworking environments and solving IT issues that arise from homeworking).
Covid-19 impact on recruitment
The increase in opportunistic actors Hackers often take advantage of times of crisis and increased anxiety across the population, for example by posing as public health authorities or HMRC (in connection with furlough grants). For example, Google have reported a 350% increase in phishing attacks since the start of the year.
Employee morale Employees may feel more detached from the workplace as they are not physically present in the office (this further increases the longer we are in lockdown). Employees may also be anxious about job security, especially if pay cuts have been introduced, or if some workers have been furloughed or there is threat of redundancies. This may increase the “intentional threat” where staff may have greater incentive to harm their employer.
How can employers protect themselves?
Policies Have a clear data policy in place, setting out how data should be stored, who can access it, and how to report a breach.
Training Give all staff regular mandatory training on spotting phishing scams, how to report suspicious activity, and how to keep data secure. More in-depth training should be given to data processors.
Communication Keeping employees updated on risk and giving them important information about data security is as important as communication aimed at keeping up engagement and morale. People can feel isolated during this time when they are working for prolonged periods alone, which can increase the risk of a less innocent insider threat. Keeping in regular contact can help staff feel supported, and may increase the likelihood of them reporting any suspicious activity.
Limit staff with access to data The number of staff who have access to confidential data should be limited, for example, only HR and accounts should have access to payroll data. Have a record of who has access to what data, and clearly set out in the employment contract how that data should be used, so that a breach can clearly be identified. Further, any staff who have left, or have been made redundant, should have access removed and their log-in/email accounts suspended, to reduce the risk of a disgruntled ex-employee committing a data breach.
Designated staff Employers should have a designated team dealing with these risks, and should be the first port of call for reporting any suspicious activities or breaches.
Have an action plan While preventative steps are best, it is also important to have a plan in place for responding to a breach, so that the consequences of any data breach can be mitigated as quickly as possible.
Security measures This could include having the correct virus protection software, using a secure network, and implementing automated logging of computer systems and platforms so those who have accessed data can be identified. USB ports should be locked so that data cannot be transferred via a USB stick.
Have a clean desk policy This especially applies at home, where people may be sharing a house or the house may not be as secure as an office – confidential information should be kept locked away. Employees should also be told how they should safely dispose of confidential information, as they are unlikely to have access to confidential paper shredding facilities at home.
Regular review Importantly, risk and data management is an ongoing obligation. Training and communication should be regular, and policies should be reviewed regularly to ensure that they are up to date and still being followed by staff members.