Working to Prevent Internal Data Breaches
When news breaks of another large-scale data breach, especially one that affects millions of consumers at a time, it’s all too easy to envision a faceless hacker who sits safely outside the reach of the law. But the reality of data breaches is that a significant number of them are “inside job” attacks, whether intentional or accidental.
An accidental data breach can happen within practically any organization. And with the rise of more sophisticated approaches like “boss phishing,” it only takes a little bit of hacking know-how to pull it off. The rest of the dirty work is done by an unsuspecting employee who complies with the instructions in an email or message.
Accidental data breaches also crop up through the loss or theft of unencrypted company computers, through inadvertently uploading the wrong file to the wrong person, downloading content from an untrustworthy website, and other seemingly innocent but still harmful means.
But intentional data breaches from someone within the company are a whole other problem, and the software industry has stepped up to provide employee monitoring programs that can alert the company to suspicious behavior. This software can alert the administration whenever someone tries to access massive amounts of information, like employee or customer records. It can also send out an alert that an employee has altered the times of day that he’s active on the network, such as someone who suddenly starts logging in at night or on weekends. It can inform the manager if an employee sends higher than normal numbers of emails all of a sudden, which can be a sign of an employee who’s looking to leave the company. Some titles even monitor employees’ social media accounts and report back to the boss on what kind of content they post.
Those last issues have privacy experts concerned, though. It’s one thing to monitor a network to make sure sensitive information isn’t accessed or downloaded. But advocates worry that monitoring employees’ email or social media could be an invasion of their privacy, especially since some monitoring software can look for keywords that the boss can choose.
Does the benefit outweigh the privacy risk? That’s a tough call. When Morgan Stanley suffered an internal data breach in 2014, Galen Marsh downloaded account information for more than 900 high-dollar investment accounts; some sources believe he was trying to leave the company and take the top-tier clients with him. Instead, his defense argued that his own laptop was hacked and the downloaded information was stolen. With employee monitoring software, the resulting data breach might have been avoided as executives would have been notified when Marsh first downloaded the information to his laptop.
There is a middle ground when it comes to preventing internal data breaches. Having a company-wide computer policy and making sure that all employees are up-to-date on the acceptable use of technology is crucial. Keeping your workforce informed of threats like boss phishing and the danger of downloading unscanned content is also important. If a company deals in content that is so sensitive that it warrants employee monitoring software, make sure everyone is informed of the need for it. Let everyone within the company know how it works and what it’s watching out for. It’s there to protect the company and its customers, not to hunt down those who break the rules.