IT set-up and human let-down – How to minimise the riskSeptember 6, 2023
Almost every week I get a call from a client telling me an all too familiar story of one of their departed workers having been suspected of taking [insert eye watering amount] of business data.
“They’re going to work for [insert competitor name], we need your help,” the client will tell me. The pandemic has turbocharged this problem, as lax operational standards have allowed employees who are working from home to have huge quantities of highly valuable data at their fingertips. We are morally repulsed by the Russian hackers who took huge volumes of personal data from Medibank Private but there seems to be far less public interest when Sharon from marketing finishes up on Friday with one gigabyte of customer data saved on her iPhone with the intention of using it for her new job.
As a disclaimer, I am not an IT security expert. However, I am a legal expert in trying to clean up the mess that misuse of confidential information by employees causes an organisation. I appreciate that the law is not the solution but one of many possible solutions. By the time the problem has landed on my desk there is a burning desire to act with urgency. I want to share with you my insights on where I perceive that these problems often originate.
The people problem
Most Australian businesses have recognised the obvious business need for robust IT security protections. However, most of the efforts are focused on stopping the bad guys from getting in, whether from hacking, to phishing, spear-phishing or man-in-the-middle access attacks. Talking as a person whose personal data has been sold on the dark web due to a medical service provider’s IT failing, there is an absolute need for organisations to take IT security seriously. However, less attention is often placed on how various sections of the workforce are able to manage, copy and transform business data. It is the problems posed by the people within, not the outside, that I have to wrestle with.
‘Playing with’ the organisation’s data is invariably part of a lot of roles within each business. This has driven huge benefits for businesses by using data analytics to identify areas for growth and market gaps. This means that there are often numerous classes of workers within a business who may, if ever tempted, be able to access and extract vast datasets that if they ever fell into the hands of a competitor may be welcomed with open arms. The benefits of granting access to an organisation’s data can also be a latent defect that only manifests much later.
Without presenting an exhaustive list of methods for data breaches, I have pointed out what I see are the common causes for the weakening of an organisation’s data protection posture:
- Apathy to the data being managed: many employees (and managers too) become so familiar with playing with such masses of data that they often lose perspective on the value of the files saved within the devices that they use, perhaps thinking – “It’s just a CSV file with thousands of rows”. When there is a high-level value placed over the analysis and trends reporting, often the value of the underlying data is diminished. There is a greater emphasis on securing the analysis outputs, and the source data takes on a secondary consideration which can lead to less managerial oversight in protecting and accounting for all source data. USB keys left in bags, data files spread across multiple devices, even to the extent that the kids at home use old work reports for colouring in paper.
- The operational imperatives allegedly justify the grant of access to more data: does more data mean better outcomes? In many instances the contingent business security risks can be given a back seat to the present-day business aims arising from granting access to broader data sets. Unfortunately, a focus on specific business outcomes can lead to myopic thinking to the possibility of: what if? It is quite common for finance teams to have very clear lines of authorisation in access to various data sets. These authorisation controls are often part of the professional disciplines that go with those roles. However, these levels of discipline often do not extend to other areas of operations, particularly sales and marketing functions where outcomes can be a stronger driver to decision making.
- Workarounds created because of [insert reason]: similarly, to the above problem in point 2, it is not uncommon for present day problems to trump contingent risks. Humans are extremely creative and adaptive creatures. An inability to access, copy, or move data in order to [insert work goal] can be perceived as a challenge for a worker to solve. Whilst the development of these systems work arounds are invariably undertaken at the time in good faith, they leave latent trap doors for later malevolent exploitation. The highly motivated employee who presented an amazing sales trends report using work arounds, may not share the same attitude six months later after a lacklustre salary review and whisperings by recruiters.
- Device and systems customisations: in my experience, this is a common risk for a lot of organisations big and small. It is extremely common for staff to want to use their own devices, particularly their iPhones, to make their work easier. Whilst most organisations are pretty attentive to device management for new staff, these levels of excellence can diminish over an employee’s life cycle. Excuses are given as to why mobile reception is bad at home, the old work phones are not as good or employee resistance to using multiple devices. These pleas are linked to an imperative to trust the employee because of [insert excuse]. Many organisations wilt to these pressures. This has been particularly difficult due to the massive increase in working-from-home arrangements and the multiplicity of IT band-aid solutions that have been developed to facilitate business continuity.
Good people can do bad things
I have set the stage above for four common instances of weakened business security. Each of them occurs in good faith and arises with a positive operational outcome in mind. However, these small tears in security are premised on the false assumption that the positive, happy and productive worker will always be that way. Sadly, good people can also do bad things. They just need to be placed in the right environment and have a particular mindset generated to trigger their actions.
While there are the garden-variety of data thieves:
- Those who download lists out of business hours in the days leading up to their resignation; and
- the troglodytes who email data to their webmail accounts and then ‘delete the email’.
However, a lot of the more common data thieves are people who have had access to the data for months and months – it’s saved onto their phones, it’s on USB keys that ostensibly were used for work purposes or even on their own personal devices. When those types of people tender their resignations, the ability to get a comprehensive account for all the data they hold can often be akin to trying to find every piece of the shell of Humpty Dumpty. It can require complex forensic IT examinations and even then, there are often roadblocks to getting a comprehensive picture of non-business devices which have been involved in the accessing or using a business’s critical data.
Four ways to prevent data breaches
As a lawyer I should be selling the virtues of the law and how it can save the day. In many instances it can pay a very important part in shutting down the distribution of critical business data by ex-employees; however, it requires invoking complex legal processes and can often be stalled by crafty opponents.
Given the extensive number of well-publicised data breaches, the impact of data theft is within the public conscience. There is still little legislative progress in helping individuals (let alone businesses) who are impacted by data theft. Most legal actions against ex-employees are underpinned by the common law, equitable principles and civil remedies. Whilst I very much enjoy playing in this space, the civil court systems are invariably geared towards a compromised outcome: a settlement. I’m not sure how many times a car thief negotiates a settlement with the car owner once they’ve been identified, however under the current vacuous legislative regime this is very much the end point many organisations face. Many are prepared to stay the course to recover what has been taken and to send a message. Others waver if the initial round of forensic IT examinations don’t bring a smoking gun. As such, prevention of critical data loss is far better than a reactive stance once the breach has occurred.
To minimise the risks of ex-employees walking out the door with your data, I have set out below a non-exhaustive list:
- Refresh (or develop) data access protocols and training – this is likely to ruffle some feathers and raise concerns as to a lack of trust, however it is important to set clear boundaries around dealing with certain types of data sets. If a standard is not set, it can’t be followed.
- Avoid allowing staff to use their own devices. If a work device is not suitable for a specific task, then establish why and get a better one, not just revert to allowing Sally to use her iPhone as a stop gap.
- Audit device usage compliance – with the persistent and gradual creep of personal devices into an organisation’s operations, we recommend that an audit is conducted of at-risk areas of operations to determine the extent to which system work arounds or third-party devices have been deployed.
- Conduct refresher training as a reminder of the importance of data security and risk factors that jeopardises the integrity of an organisation’s data. Managers need to be reminded that present day organisational outcomes do not justify latent risks to IT security.
If you discover a critical breach, we’re here to help but you need to act fast. Given the speed by which large volumes of data can be moved between devices and cloud servers, it is important that any breach is addressed swiftly.