Last month a disgruntled Citibank employee was sentenced to 21 months in a Texan prison after he issued commands which left 90% of all Citibank branch offices without network or phone access. In court, the employee admitted “They [were] firing me. I just beat them to it… the upper management need to see what these guys on the floor [are] capable of doing when they keep getting mistreated…”
Businesses are alive to external cyber attacks but as this example highlights, problems may be lurking closer to home. ‘Insider threats’ may be one of the biggest and least reported risks facing businesses today. A malicious employee can wreak havoc on an operating system at the touch of a button. Insiders can expose confidential information, violate data protection rules, compromise trade secrets and severely damage reputations, not to mention the impact on the bottom line.
Whilst most businesses would prefer to keep such things under wraps to avoid the bad press the problem is very real. In January this year, GlaxoSmithKline was reported to have been ‘attacked’ when two of their own scientists allegedly hacked into the system and stole confidential cancer research to sell on. According to the 2015 ‘Vormetric Insider Threat Report’[1] 89% of global respondents felt their business was now more at risk from an insider attack with 34% saying they felt “very or extremely vulnerable”. Businesses must be on the front foot to combat both opportunistic and premeditated attacks.
The Aftermath
If a similar situation to Citibank occurred in the UK, the individual would be prosecuted under the Computer Misuse Act 1990. Where individuals are found guilty of “unauthorised access to computer material” (as in the Citibank example) or worse, accesses a computer illicitly with the intent to steal and sell on hacked data (as in the GlaxoSmithKline example), the individual risks a prison sentence of between 2 and 10 years depending on the severity of the charge. In addition, if an individual is found guilty of personal data theft under the Data Protection Act 1998, he will be liable to a fine of up to £500,000.
The consequences for the business are wide ranging as is the action that can be taken. The regulatory ramifications of data theft were highlighted in the recent case of Axon where the court stated that an employer may be vicariously liable for a data breach caused by a rogue employee. Moreover, if a company suffers an attack of this nature, they may be liable to their customers or suppliers for (1) breach of an express or implied term that personal data would be stored securely and/or (2) negligence, in failing to take reasonable security precautions storing customer information.
Data protection regulation is being taken increasingly seriously under the new General Data Protection Regulation (GDPR) which is set to come into force in May 2018. Fines will be increased to up to €20 million or 4% of global turnover, whichever is greater. The amount will depend on the type of company and the scale of the breach. Furthermore, whilst it is currently not obligatory to notify the ICO of a data breach, the GDPR makes it mandatory to notify the ICO within 72 hours.
As the examples of Citibank, GlaxoSmithKline and even the NSA in the case of Edward Snowdon reveal, even the most secure of organisations are vulnerable to such attacks. Businesses have the tools and more of a responsibility to tackle insider threats than outside attacks over which they have no control.
Tackling the Threat
Prevention is always better than cure. Access to highly sensitive information should be limited, documents encrypted and passwords and access rights made use of. Recognising and neutralising ‘at-risk’ insiders before they reach crisis point is key. Precautions may include background checks for new starters, robust IT and Data Protection policies and comprehensive risk management procedures.
A support team comprising senior management, HR, IT and legal advisors who can identify trigger events (redundancies or a change of ownership) and high risk individuals (employees under notice to leave) should be ready to take action without creating a culture of distrust. If an individual is under notice period of termination, IT should monitor the employee’s access to the server to ensure confidential information is not sent to a personal account always assuming there is the appropriate monitoring power in the IT Policy. Robust confidentiality clauses should be included in all employment contracts to clearly identify and protect confidential information. Remedies for breach of confidentially include an application to the high court for injunctive relief or a civil claim for breach of contract. Finally, training your workforce on their security responsibilities will get them ‘on side’ and hopefully empower them to form the business’s strongest line of defence against both outside and inside jobs.