When many people think of data theft, they think of shady-looking hackers trying to remotely get in to a bank or government organisation. They think of customer details being stolen from websites the average Joe (or Jo) wouldn’t want to be associated with – for example, the Ashley Madison hack that revealed thousands of would-be adulterers[i]. Or they think of the recent Netflix hack, which saw several unreleased episodes of one hit show ‘stolen’ by hackers[ii].
The truth is that many of the data breaches suffered by Aussie businesses have nothing to do with shady hackers getting in from overseas and holding information ransom. They have to do with a little something called internal risk.
A recent global report showed that nearly 10% of all data breaches are committed by insiders – employees who misuse their access privileges to steal data[iii]. Of these breaches, 34% are for financial gain, and 25% are for espionage reasons (note – these may overlap). On average, these data breaches took several months to discover. And they didn’t come cheap. Another report, by IBM and the Ponemon Institute, put the cost of a data breach per record at up to $142[iv].
Earlier this year
Online fashion retailer Showpo sued a former employee and her new employer (Black Swallow) for ‘reputational damage and loss of sales’[v]. Lawyers for Showpo alleged a graphic designer downloaded the store’s whole customer contact list – 306,000 names and contact details – before leaving her role. The case was settled in April; Black Swallow now has to pay Showpo $60,000[vi]. In other words, the damage caused to Showpo by that data breach was worth at least $60,000, possibly more.
The fact that an online fashion retailer was targeted shows that it doesn’t matter what kind of business you’re in, data theft is a risk. You don’t have to be in entertainment, finance, or the *ahem* *adult* industry to suffer big time from a loss.
So what can you do to help control data risk in your organisation?
Well, the aforementioned global report recommended a few measures that any business can implement. First off, it’s a good idea to know exactly where all your sensitive data is stored at all times. For example, if you’ve got a master client list, make sure it’s consistently kept in one secure server location – and not copied or transferred elsewhere. Secondly (but just as importantly), it’s a good idea to closely monitor and restrict access on a need-to-know basis. For example, it’s unlikely that the graphic designer in the case above would have needed access to the client list to do their job. A third tip is to closely control the use of USBs; the report said that several incidents involve “a USB drive used to transfer data prior to (the employee’s) departure.”
One of the other steps you can take is employee training. Improved awareness and decision-making ability may help those loyal and well-intentioned individuals amongst your staff to band together and reduce the risk of one of their own leaking vital private details or intellectual property. We offer a flexible, engaging and cost-effective training solution in the form of our flagship unit, ‘Introduction to Information Security’. Click here to check out our topics or contact us for more information today.