Research by commissioned by data privacy and risk management firm Egress Software Technologies has revealed that a quarter of UK workers have purposefully shared confidential business information outside their organisation.
Sharing Confidential Business Information
The findings of the OnePoll on behalf of Egress research, which involved 2,000 UK workers who regularly use email as part of their jobs, make worrying reading for UK businesses and highlight the common, but often overlooked security vulnerabilities of ‘insider threat’ and human error.
The research showed that not only have 24% of workers purposely shared info with other companies, but nearly 50% have received an email by mistake. This has meant that almost half (46%) of respondents in the research admitted to having received a panicked email recall request.
In the case of ‘malicious’ insider threat, it is worrying that the research indicates that 24% of workers have purposely shared information with competitors or new and previous employers and other entities. This amounts to a data breach that it is difficult for companies to protect themselves against. These kinds of leaks and breaches can undermine company efforts to comply with data protection laws and protect competitive advantage, and can leave companies open to huge financial risks, loss of customers, and damage to their brands.
An example of insider threat that has been in the news (again) recently is the case of the disgruntled former Morrisons employee who stole and leaked the personal details of almost 100,000 staff to national newspapers, and on data-sharing websites. This resulted in a £2 million clean-up bill at the time, and now 5,518 former and current Morrisons employees are suing the company in the High Court.
The Egress research appears to show, however, that a more likely risk that most companies face is accidental email misuse. The research revealed that the biggest human factor in sending emails in error is listed as ‘rushing’ (68%), and auto-fill technology, meanwhile, caused almost half (42%) to select the wrong recipient in the list.
8% of those workers involved in the research even admitted to alcohol being involved with wrongly sent emails.
The research showed that almost one in ten (9%) of staff had accidentally leaked sensitive attachments e.g. bank details or customer information, thereby putting customers and their own company at risk.
What Does This Mean For Your Business?
Accidental misuse of email clearly represents a real and prevalent risk to businesses that could leave them open to a variety of potentially serious financial, legal, and market risks. High pressure, busy business environments can make it more difficult for employees to always make the correct checks on emails before they press the send button, but highlighting the issue and reminding people to be extra-careful with email checks can be a good starting point.
The research also shines an important light on insider threat. Crowd Research Partners, for example, have found that 74% of organizations are vulnerable to insider threats, and 75% of survey respondents estimated insider threats cost their companies at least $500,000 in 2016.
There are many well-documented (see online) behavioural indicators of insider threat, the most common one being a lack of awareness e.g. employees with savvy IT skills creating workarounds to technology challenges, or employees using personal devices to access work emails.
Companies can help protect themselves by adopting a holistic and layered approach to user behaviour analytics to help spot potential risks. Companies need to pay attention to security infrastructures, and to adopt a comprehensive, risk-based security strategy that includes:
- Awareness, education and training – compliance with security best practices, employee training and security monitoring.
- Behaviour monitoring for detecting and mitigating insider threats.
- Implementing appropriate procedures when employees terminate their employment e.g. denying them further access to IT system.
- Information governance to provide the intelligence that drives security policies and controls.
- User-based analytics to provide detection and predictive measures.
- Development of an incident response program to consider internal and external breaches.
- Being clear on legal and regulatory considerations.
- A cross-organisational effort (people, processes and technology) to gain a detailed understanding of the organization’s assets and security posture.