Internal threats to Cyber Security by Sam Thomas

With newspapers full of stories of computer hacking, and the BBC reporting a Russian campaign of cyber-espionage, one may be fooled into believing that the biggest threat to cyber security is external. In fact, by far the most common source of a data breach is internal.

Disgruntled employees who take company data to competitors to secure new employment, or to start their own rival companies; and human error, are a greater threat to cyber security. And what’s worse, employees who remove company data feel entitled to take it. The vast majority of those taking information (two-thirds) felt that they had a right to remove the data because they had been ‘involved in the creation’; with a third believing that there would be an expectation to bring such information with them to a new employer. An earlier study into UK-based employees found that 58 percent of workers said that they would take confidential data if faced with redundancy, and 40 percent were already storing confidential information to enhance their value in the job market.

Remote working practises now mean that an errant employee who is inclined to steal data does not even need to come into the office. Client contacts and files could be downloaded in the comfort of a person’s home before being deployed by an existing rival or new competitor.

The digitisation of documents has also increased the potential risk of human error. Whereas before a mistake prone employee could leave a single file on a train, a lost laptop or hard drive could now result in a data breach relating to many hundreds or even thousands of individual.

How then does a frim protect data from an internal threat? The most important step is to understand the risk and prepare in advance of any cyber breach.

Although there are legal provisions, including injunctions, following a breach of confidence, on many occasions potential applications are frustrated by an employer who cannot identify how stolen information is used in the relevant business, and that its dissemination will likely cause harm to the company. General skills and knowledge will not be protected by the courts. Information must be secret or confidential, and its loss result in commercial damage, before legal intervention.

Practically the employee contract is the best place to start. Cyber terms of use should be clear and agreed before an employee is recruited. The review and revision of appropriate terms means that incorporation through an employee handbook is often the most efficient method for inclusion in the contract. Cyber terms of use should include an acceptable email and internet policy; data protection procedures; consideration of computer health and safety; discrimination and sexual harassment policies; and the procedures for investigation and sanction if there is a breach.

Gardening leave clauses, which are designed to protect a firm’s client base, are not uncommon; however, there is no reason why more abstract concepts could not also be protected within the employee contract. Software functionality or elements classified as ideas and principles within the Software Directive, could potentially be protected through appropriate contract provisions. Every basic employee contract should incorporate a condition related to the protection of confidential information while under the contract. New employees should be asked to sign that they have received, read and will comply with their contract and handbook.

Communication of information is vital to ensuring that employees are aware of the acceptable limits. Notices to prompt employees to use confidential waste bins and to keep their desks clear of confidential information have the dual effect of reminding employees of the systems in place but also to identify information they are handling as confidential. The proper disposal of confidential information should be monitored. Confidential information which is released into the public domain through improper disposal will not be protected by the courts.

Finally, training should be used to identify any gaps within employee knowledge. Reasonable training may take the form of lectures, seminars, debates, workshops or online videos or forums. The purpose is to engage employees, to require that they read relevant procedures, and monitor that there is understanding of the systems in place. Comprehensive policies and training, recognised within the employee contract, and regularly reviewed through training, is the best precaution against internal threat.

Cyber Security: Law and Practice, chapter 5, identifies further practical advice for a firm concerned with internal threats.