Legal Briefing

Cyber security: the human element

The In-House Lawyer Logo

Technology, Media and Telecoms | 15 March 2016

Naive or disgruntled employees frequently pose the greatest risk to cyber security and, more widely, protection of confidential information.

While companies around the world spend large sums on technology to protect against cyber attacks, the biggest threat is right in front of them.

A data breach often serves as a wakeup call to organisations who store personal data – supermarket chain Morrisons is being sued by thousands of employees after a disgruntled senior auditor posted staff salaries, bank details and national insurance numbers on news outlets and data-sharing websites.

Although the cause of the leak was an employee who held a grudge and who was subsequently jailed for eight years, the group claim alleges that Morrisons is ultimately responsible for keeping their personal data safe.

A recent First Advantage survey of HR, risk management and C-suite executives, revealed that the majority of respondents agreed that people are their main concern when it comes to internal and external security threats.

The survey’s findings also indicated that employment screening is crucial. Sixty percent of respondents said background screening was more important than any firewall or anti-malware software.

As a consequence, the workplace is becoming a battleground between the employee’s right to privacy and the employer’s need to protect their information assets and systems. This has been brought into focus again recently following a European Court of Human Rights decision which allowed an employer lawfully to monitor e-mails and Yahoo Messenger chats of an employee on a limited basis while at work, albeit subject to the usual limitations on monitoring.

To minimise the risk of staff-related breaches, organisations should take a proactive, rather than reactive approach to creating a secure culture. Having appropriate policies, procedures and training in place will be key to this.

Break out?

How to prevent data breaches by staff:

  1. The right people – Make sure the right people are in the business. Employers should carry out appropriate background checks on new employees as well as behavioural assessments for personality profile, decision-making and ethics. This is particularly so the more a particular employee is going to have access to critical systems or data.
  2. Simplify – Security policies and protocols should be easy to understand. Multimedia, apps, video and posters can complement written instructions to make the protocols more accessible to employees. Regular testing is sensible to ensure the messaging has hit home.
  3. Contracts – Ensure employment contracts impose appropriate obligations to comply with company policies and procedures, particularly security related ones, and also through the employment contract and policies set out consequences of non-compliance. On any breach, a prompt investigation should be undertaken to identify what happened and whether the breach was intentional or not. Where unintentional mistakes occur, the underlying cause should be addressed, but when intentional violations take place, disciplinary action should be taken including up to dismissal.
  4. Contracts and policies – Ensure contracts are up to date and have an appropriate definition of confidential information. ‘Don’t misuse our confidential information’ is simply not enough. Policies should be up to date, including having in place security policies and employee monitoring policies, and updating disciplinary policies to expressly include cyber security breaches (whether intentional or through negligence).
  5. Training – Significant investment may be required to train employees so that they are informed about the system requirements. Staff must be continuously immersed in the security requirements and their knowledge kept current with refresher training as requirements change. This includes regular risk management updates to staff reminding them of the risks, how to avoid them and reminding them they are required to take steps.
  6. Shock tactics – Explain what would happen if a data breach occurred as a way of ensuring staff understand the importance of keeping systems and information secure.
  7. Limited access – Employee access and authority should be limited to the levels that are necessary to carry out their duties. The most confidential information should be limited to a small group of people. Ensure the information is kept secure (eg encryption, password protection, limitations on USB access and physical security).
  8. Departures – As part of the secure culture, incidents involving breaches
    of security policy must be reported to the management. Failure to do so should be treated as a security incident in its own right, provided staff are made aware of this obligation and disciplinary policies reflect this.
  9. A lessons learned approach – Investigations should be undertaken to understand and respond to the underlying causes of breaches. Learning should loop back into the organisation, allowing for improvements, with the sharing of learning related to data breaches within the broader workforce to build engagement with the system delivery. The security policy and procedures should be updated to deal with any vulnerabilities that are discovered.
  10. Monitoring – The surveillance of cyber systems is necessary to ensure independent identification of breaches that have not been identified via voluntary reporting, but also to enable the organisation’s access to information in the event that a breach occurs. However, there are restrictions on monitoring of employees, so it is vital the company has an appropriate employee monitoring policy in place, which staff are aware of and have easy access to, and that policy is followed.

More generally, companies’ obligations to protect information about individuals will only become even more onerous with the coming into force of the General Data Protection Regulation. The Regulation is expected to be adopted in May 2016 with two years before implementation. While the existing framework of obligations will remain, what is at present good practice will become a legal requirement. Crucially, penalties for breaching data protection law will be much larger (up to 4% of global annual turnover). Larger organisations may also be required to have a data protection officer to understand and meet the requirements of the new rules.

Nobody wants to be the next big data breach, not least because of the cost and reputational damage. Therefore organisations of all sizes face a long-term balancing act of investing in IT systems, educating and engaging staff, putting in place contractual arrangements as well as complying with data protection laws – with the ultimate goal of minimising risk to keep their systems secure and avoid claims.