- the small perceptible part of a much larger situation or problem that remains hidden.“detected fraud is only the tip of the iceberg”
It’s not surprising as they deal with huge amounts of sensitive data on a daily basis, all of which must be accurate, current and easily accessible.
According to The Verizon 2018 Data Breach Investigations Report, 56% of data breaches in the Healthcare industry were incidents involving insiders. It is the only industry where insider threats were the biggest threat to the organisation, above malware, which in itself is a huge concern for the healthcare industry following May 2017’s WannaCry Ransomware attack on the NHS.
Over 80% of incidents comprised of people utilising established logical or physical access to sensitive data in an unauthorised manner with sensitive data being mis-delivered as the most common type of error.
Many of the insider threat incidents were not deliberate but still prove to be costly.
Insiders aren’t just full or part-time employees, they can be 3rd party contractors or business partners and its important to ensure that all are aware of the possible threats and comply with your policies and procedures at all times.
Although its not possible to ensure every single employee is trustworthy and/or complies with all policies and procedures, it is possible for organisations to minimise the risk, here are some ways this can be achieved:
Minimise Your Risk
- Identify your sensitive data
- Identify who has access to sensitive data
- Identify the threat and assess the likelihood of it happening
- Only keep data on a need to know basis
- Encrypt sensitive data
- Use two-factor authentication
- Shred confidential data
- Monitor access to files and records
- Log file changes
- Employ trustworthy people
- Identify individuals who may pose a risk
- Investigate any insider acts and have disciplinary procedures in place
- Monitor and assess employee actions
- Identify unhappy employees
- Track user behaviour
- Ensure employees are trained to spot risk and encourage them to act in a more security conscious way
- Use temporary accounts for 3rd party employees which expire on a certain date and remove & disable accounts as soon as employees leave
- Ensure policies and procedures are in place
- Ensure employees are aware of the latest phishing scams
- Ensure patches are installed promptly and up-to-date, the WannaCry attack could have been avoided if IT staff had installed the latest patch as soon as it had been released in March 2017
- Frequently audit your systems
Good security practice and a transparent framework where all staff are responsible is the first step in reducing your risk, keeping track of it going forward could save you a lot of hassle and money.
Wondering whether you hold any sensitive data? What is sensitive data? Where you can find it? & How you can secure it?
In a nutshell, sensitive data is any data a business considers to be confidential, and that which is bound by regulatory compliance initiatives such as the GDPR.
To break it down, it can be split into 3 sections:
- Personally Identifiable Information (PII)
- Business Information
- Classified Information
This includes, but isn’t limited to, information relating to race or ethnic origin, political opinions, religious beliefs, trade union activities, physical and mental health, sexual life, criminal activity, financial information, health care records, employment records, education records, trade secrets, sales and marketing plans, new product launches, patentable inventions, customer & supplier information, financial data, special security classification data and anything that poses a threat to national security.
Businesses, individuals and the government have a day-to-day responsibility to protect sensitive data; they have had this responsibility for 20 years with the Data Protection Act. Now it’s become more important and necessary with the introduction of the GDPR, which comes into force on May 25th 2018. Non-compliance can lead to significant reputational damage as well as heavy fines.
As a business you need to determine How sensitive the data you have is? Who has access to it? Can you see who has access to it? & most importantly Is it secure?
Start by searching through all your company data and classifying it by putting it into sections relevant to the above categories, set tags on the data to indicate what sensitive information it contains and who can & should have access to it. Set access permissions on that data to ensure its secure and finally set alerts to notify you if there is any unauthorised access or threats to your data.
To get you started, take a look at this 12 Step Guide the Information Commissioner’s Office (ICO) have produced – its a great start to getting organised and may stop you getting a heavy fine or having your data compromised.
Towers Business Park