Preventing data theft from employees

The biggest threat to a company’s cybersecurity may be a malicious or careless employee.

When it comes to cybersecurity, companies have plenty to worry about: hackers, criminal gangs, governments — even their own employees.

An infographic from GO-Gulf.com, which combines the results from several surveys, shows that 39 percent of data theft from businesses comes from company insiders. Even more troublesome, 59 percent of ex-employees admit they stole data from their former employers.

William O'Brien

Brainloop’s William O’Brien says distributed denial of service (DDoS) is perhaps the most disruptive form of external attack.

Preventing such inside jobs is difficult, especially since workers have access to personal devices and the cloud, as well as collaborative and portable storage devices.

All it takes is one careless or malicious employee to compromise company security, says William O’Brien, chief operating officer of Brainloop, a Cambridge, Mass.-based provider of secure file-transfer services for mid- to large-sized businesses.

O’Brien cited one instance where information on 74,000 Coca-Cola employees was compromised due to theft by a former employee.

Outside hackers

Theft by outsiders remains the biggest threat, of course, and tends to be much more costly, particularly to a company’s reputation.

O’Brien cited Target’s recent hacker breach, which affected millions of holiday shoppers’ financial data.

A company should always be looking for new ways to deal with such threats, O’Brien says. “Security policies must evolve as new attacks occur,” he adds.

In many cases, the target is customer data, not the company itself.

“Our largest threats come, not from hacking our IT infrastructure, but from individuals hacking into our clients’ database servers, getting user information, impersonating users/members, and trying to move funds into another account via instant or next day methods of withdrawals,” says Dima Polyakov, chief technology officer at i-payout, a Ballandale Beach, Fla.-based provider of global digital payment systems.

Learning experience

After an attack has taken place, companies must learn from the experience, says Lawrence Freedman, partner at Edwards Wildman Palmer LLP, a global provider of legal counsel for businesses.

Cyber threats, he says, “largely consist of (a) intentional hacking by outsiders seeking pecuniary gain or just mischief and (b) mistakes and errors from a human or technical perspective on the part of the organization possessing the data.”

Fortunately, there are ways to limit internal and external attacks.

For one thing, permissions to access data should never be stored locally by a user, whether on workstations or personal devices.

Brainloop’s O’Brien recommends that permissions be assigned according to employee level.

“The creation of a virtual workspace or secure environment is essential as data never leaves this area,” he says. “This can extend to email communications, as document attachments are merely a link to the secure area, rather than including the actual document.”

Polyakov of i-payout agrees.

“For internal threats [employees]: As a part of certification we have a set of strict rules for who can access our data center and servers if accessed remotely via VPN,” he says. “For external threats…[we have a] firewall with tight rules and mechanisms to shutdown offensive hosts to prevent DoS attacks.”

Legal implications

In addition to data security and encryption, companies also must understand the legal implications.

“First, all technical means should be used to secure and where appropriate encrypt data,” says Freedman of Edwards, Wildman Palmer. “This is a balancing act based on the nature of the data, the risk of threat, and the expectations in the industry.

“Second, legal constraints in the form of evolving case law and a myriad of laws and regulations in the states, the U.S. and internationally, dictate a variety of non-technical procedures and protocols to ensure data security,” he adds.

Freedman recommends companies ensure that all breaches are documented accurately “to retain a written record in case of any future regulatory or legal scrutiny that the company acted responsibly.”

Never store remotely

O’Brien uses a collaborative workspace that is remotely accessed. Company data, he says, is never stored remotely but on secure network storage.

”However, for companies considering a collaborative environment, seamless access [with adequate bandwidth and latency] is necessary or else users will use their hard drives and memory sticks to transport data,” he says.

This approach can effectively eliminate threats from internal and external sources.

What should companies do after an attack?

“Find out why it happened, implement a patch, learn from experience and look ahead what might happen in the future and how to prevent it today,” Polyakov says. “[Many] companies don’t even think about getting certification, like for example getting PCI compliance. Big mistake! Each certification prepares you for [an] event that might cost you a lot if you are not ready. Hiring seasoned and certified IT professionals can make a big difference in avoiding disasters.”

The PCI Data Security Standard is a security standard recommended for all companies that accept credit cards and includes specifications for storing financial data.

Michael O'Dwyer
Born in London but living in Hong Kong, Michael O’Dwyer spent over 15 years in the electronics industry, managing information technology, process improvement and supply chains. He writes for a variety of online portals on IT and related topics.
Michael O'Dwyer
Michael O'Dwyer
Michael O'Dwyer
Tags: IT Security,Technology