What can employers do to prevent security breaches from the inside?

20 August 2018

Some of the biggest threats currently facing companies, according to Gowling WLG's digital risk calculator, include external cyber attacks, loss of highly sensitive data and lack of knowledge amongst employers. These are concerns to employers and while many attacks come in the form of phishing scams, another key worry is the vulnerability that companies face with rogue employees.

So what can employers do to minimise these risks and how can they spot the signs? Here, our employment team take a look at the essentials of how to avoid digital risk.

Avoiding digital risk: more difficult than it seems

In hindsight, it always seems obvious how digital risk can be minimalised; increased training, warning posters and better online protection technology. However, falling to a digital attack is almost impossible to stop altogether, especially when rogue employees are to blame. That's because employees carry, and have access to, vast amounts of data that can be misplaced or sold. And while it's important to have training in place, companies also need to adopt a culture change.

Employees don't become rogue overnight. There are many obvious warning signs: employees feeling aggrieved by the working environment; employees on notice and leaving to join a rival company; and leaving the company under poor relations. How employers deal with this can be the difference between a data leak and avoiding possible catastrophic - and embarrassing - consequences.

As rogue employees can be the cause of a cyber security incident, employers need to understand how to effectively manage digital risk.

A recent Government survey of the FTSE 350 revealed that an astonishing 68% of board members have not been trained to deal with cyber security incidents. The report also suggested that more than half of board members recognise that cyber threats are a top risk to their business, showing that this growing risk is on the radar. However, it's clear from this report that not enough people are taking steps to actually do anything about these digital risks. This shows that there is a clear need to change the way we look at online security as either people aren't being trained or they haven't got around to it - thus making it a low priority.

So how avoidable are digital risks, such as cyber attacks and rogue employees, and how can they be avoided?

It is most unlikely that having rules and procedures in place will actually prevent digital attacks from happening. After all, it's safe to presume that most companies that have had an attack happen against them have had some form of work process in place to prevent such an event from occurring. Having a rules-based approach to minimising digital risk has no guarantees and may provide a false sense of security.

How can employers minimise digital risk?

The simple answer is that it's very difficult to avoid. As well as ensuring that technology is up to date and is actually protecting your business, employers need to adopt a new culture. The first step that needs to be undertaken is that information security has to have the same priority as health and safety. Health and safety, quite rightly, is at the top of a lot of, if not most, companies' priority list, protecting employees to ensure their safety is taken seriously. When employees see a perceived health and safety risk, they are more likely to tell someone about it to ensure it's fixed. Placing the same priority status on information security is the shift in company culture that will help prevent future attacks from happening.

Many companies pride themselves on developing a business model on supposedly secure systems, with rules in place, complete with a stern structure of importance of confidentiality and handling data. But if the culture of the business doesn't support that, these apparent preventions won't work. That's because people are prone to making mistakes.

Many companies have a long list of health and safety training, rules and procedures. The culture that it has embedded ensures that most people know how to look after each other, how to spot signs of hazards and what to do in case of emergency. Like information security, some companies have a long list of training, rules and procedures, but if the culture isn't there and employees don't believe it will impact them like a health and safety incident would, then mistakes will continue to happen.

Until employers start to prioritise information security, then the culture won't change and employers will continue to make mistakes. But if those mistakes do happen and data is breached, then employers need to be smart and act quickly to ensure the best possible defence is available.  Fundamentally, an educational piece about where files are set and what's inappropriate need to be introduced, but also employees need to understand how a breach in data might affect them as well as the company. It's this change in culture that must support the technology in place and will help avoid future digital risk.

What should employers do if data has been hacked?

Once there has been a breach of data, the law really comes into play. There are many processes and procedures that would have to be followed to retrieve data, including ensuring you act immediately. To prevent the misuse of information becoming a significant issue, you cannot sit and wait for something to happen. Courts do not forgive a delay in reasoning - if you don't care enough to deal with it quickly, you probably don't care enough about it in the first place.

If the hack is a result of a rogue employee, employers should ask to examine personal devices. There is a sensitivity around this as employees still have the right to privacy and it's difficult to persuade the courts that a former employee should hand over their devices. If the device belongs to the company, these can and should be checked.

If an employee is suspected as being rogue, their right to privacy must still be held. Employers need to balance their rights to securing data with an employee's privacy.

Other steps employers can take include:

  • Establish a task force: Establishing a team that will be charged with immediate response to the data loss, as well as its subsequent investigation, remediation and evaluation will help prepare for situations where attacks happen.
  • Decide who receives information: If your company is in the middle of an information security crisis, they are in greater danger for another attack to happen. Therefore, employers need to consider up-front who should receive information and share this on a need-to-know basis.
  • Seek specialist advice: If your employee has gone rogue, it is likely that your company protocol will include disciplining and potentially dismissing from the business. Ensure you seek specialist employment law advice so that the appropriate legal steps are taken.

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.