Your own employees.

Yes, you read that correctly. Over 70% of data breaches are caused by employees who have every right to work with that data – but end up doing something stupid with it.

I think sometimes we have this James Bond Hollywood image of hackers as people dressed in camouflage, shimmying down a rope dangling from a helicopter and breaking into a top security vault. The truth is, as a business owner you’re more likely to get one-upped by the people you hire (and fire) than stealthy ninjas.

By the by, I’m guest-speaking at a GDPR Webinar on Wed 25th Sept on this topic.

How a data breach happens

Here’s an example. Your sales person hands in their notice. They’re a key part of your team and has worked diligently in your business for three years. They’re going to work for a much larger competitor, and you wish them luck. As part of protocol, before they leave they give back their work laptop, keys, phone and notes. One month later, you find out this new competitor is contacting all your prospects and stealing business from you. How did this happen?

In their two month notice period, that sales person was busy harvesting information from your business – your customers, your sales pipeline, your prospects, etc. By the time they handed in their laptop they’d already taken what they needed. They justify their behaviour by saying that the client’s information was theirs because they were the one who got them to sign the contract.

What the law says

What the sales person did was illegal. When you’re paid a salary by a company it’s never your data – it's theirs. So by taking data from a company and using it at a larger competitor, you’re perpetrating a data breach and making the competitor company culpable in that breach. That’s especially true if you then load that data into the new company’s CRM system. This can lead to big fines and time in prison. This happened recently with Morrisons, when an internal auditor published hundreds of thousands of employees’ salaries into the external world. As an auditor he had permission to access this data – but not to publish it. He was fined and sent to prison for six months.

That’s quite scary. But what can I do to protect my business?

A lot of companies will take practical steps like locking off USB ports and installing software that prevents copy functions like screenshots. You can also install software that looks for unusual patterns in employee behaviour, such as a junior finance director sitting at home on a Friday night downloading salary files at 1am. They’re not part of the HR salary process – so why are they doing that? Ideally at this point, the software on your network would send out an alarm that it’s unusual behaviour. If only Tesco had done this back in 2016, they wouldn’t have lost £2.5 million from 9,000 people in one weekend by cyber-thieves. The hackers had logged on at 10.30pm Friday night, breaking into an employee user account. Unfortunately her log-on credentials were easy to guess (surname, first name, company name) and her password was her dog’s name, which could easily be found through a quick browse on Facebook. The thing that should have sent alarm bells ringing was that she had never in her life worked remotely - always in the office. Because this detail wasn’t spotted, the hackers logged on Friday night and spent all weekend stealing money using the lady’s credentials.

To protect your business, start with these six steps

The truth is though, the only way to really change things is to educate everyone in your business and champion a culture that puts data security first. The first thing everyone must do in your executive committee is answer these six key questions:

1) What data have you got

2) Where is it located

3) Where did it come from

4) How are you using it

5) Who are you sharing it with

6) Do you have permission to do what you’re doing

I once worked with a telecom company where every single person on the executive committee sat on their GDPR program board once a month and reported on their data protection progress. There wasn’t a single facet of the business they missed out, and the company had invested tens of millions into securing its data. Every member of the committee could answer those six questions – from marketing to HR to finance to sales to manufacturing. And that made total sense, because every part of a business has PII embedded within it. Sales has customer data. HR has employee data. When employees say to me that GDPR doesn’t affect them because they work in HR I almost fall off my seat with laughter. HR is entirely personally identifiable data!

Learn the data protection secrets at this GDPR webinar I’m speaking at

WEBINAR ALERT! On Wed 25th September, 2019 I’m the principal speaker at a webinar on GDPR, hosted by Aiimi. Join us to find out the trade secrets on GDPR, and what to do to protect your business’s data. If you don’t want to follow the footsteps of British Airways, Marriott and Dixons Carphone with their big data breaches, this one’s for you.

Register here: WE'RE SORRY! THIS EVENT HAS NOW ENDED

To find out more about how Aiimi can help your organisation overcome the challenge of finding sensitive data and complying with GDPR, get in touch.