Thankfully the recent customer data breach that Three Mobile suffered doesn't affect Irish customers. Not an enviable position for a company to be in. Especially when the breach comes from within.
I recently wrote an article on this topic for the Sunday Business Post along with two investigators, Dr. Mee of VM Forensics and Bernadette Treanor of Beo Solutions. Our article highlighted that internal risks from employees through negligence or inadvertence are much more likely than an external cyber attack.
Many businesses are worried about the cost of putting in expensive technology to improve their information security when in reality over 52 per cent of the ultimate cause of security breaches stems from simple human error. That’s before you even consider the danger from disgruntled or criminally-intentioned employees who are actively seeking to do harm.
Employee risks range from losing confidential information to accidentally uploading viruses right through to stealing confidential information with a view to selling or bringing that information to a competitor. Recent examples include CEO fraud whereby the cyber attacker pretends to be the chief executive and emails an employee in the organisation instructing them to transfer money to an account. These scams are usually targeted - employees being singled out through social media.
So what can you do?
Education - When it comes to employees and cyber security knowledge is key. Make sure your staff are aware of the potential risks to your systems and that they know how to report anything suspicious. This education should begin at induction but be continuously refreshed through employment. Staff should be trained in how to protect themselves online and how to spot something suspicious.
Contracts – make sure you include confidential information clauses and definitions in your contracts of employment. These should be reviewed regularly to keep them relevant and enforceable. As employees get promoted through the ranks make sure any obligations they have in respect of confidential information are reviewed and changed accordingly for each new role.
Policies - Make sure you have appropriate information systems and acceptable usage policies in place that make it clear what is and what is not acceptable. Include these policies in your induction programme and where possible have the employee sign or email you to confirm receipt. This will be crucial if the employee later tries to claim they weren’t aware of those policies. Monitoring is acceptable once staff know they will be monitored and the legitimate business reasons for doing so are justifiable and clear.
Investigate – Use your disciplinary and other appropriate policies to launch an investigation into the employee’s conduct or actions and their impact on the business. It is critical to adhere to the arrangements in your policies and to follow fair procedures at all times. Where there is a shortage of impartial managers within the workplace or other resources issue, consider appointing an external investigator/appeals officer. You do not want to end up in a situation where an employee who causes a major cyber breach wins an unfair dismissal case against you.
Preserve the evidence - If you become aware that an employee has done something untoward or is in breach of a company policy consider whether you need to preserve the evidence. If the the matter involves laptops, hard drives, software, email accounts and the matter is sufficiently serious or even criminal, you should consider engaging the services of an IT forensics investigator who can properly inspect the IT systems and retrace and retrieve valuable evidence and act as an expert witness. Avoid using internal IT resources for these investigations, proper evidential procedures should be followed at all times.
Garden Leave - if you are concerned an employee could damage your business by leaving to move to a competitor then consider utilising a garden leave clause. Use your garden leave clause along with any restrictive covenants or non-compete clauses in the employment contract to manage the potential damage. Restrictive covenants must be as limited as possible and are notoriously difficult to enforce so your garden leave clause may be a more worthwhile option.
What is clear is that employers are not currently doing enough to mitigate these internal employee risks. With GDPR around the corner employers need to ensure that information security and data protection are top of the agenda to mitigate both internal and external risks.
If you need advice in managing employee risks please contact a member of our Employment Law Team:
Disclaimer:This article is for guidance purposes only. It does not constitute legal or professional advice. No liability is accepted by Leman Solicitors for any action taken or not taken in reliance on the information set out in this publication. Professional or legal advice should be obtained before taking or refraining from any action as a result of the contents of this publication. Any and all information is subject to change.
One of Britain's biggest mobile phone companies has admitted to a major cyber-security breach which could put the personal data of millions of customers at risk. Three Mobile admitted that hackers have successfully accessed its customer upgrade database after using an employee login. Sources familiar with the incident told the Telegraph that the private information of two thirds of the company's nine million customers could be at risk.