Protecting your confidential data from “insiders”
With many employees now working from home, keeping confidential company information secure is increasingly important.
A company’s employees can, in many respects, be its greatest asset. However, when it comes to keeping confidential company information safe and secure, those same employees (and indeed any other individuals who may be on the “inside” of the business) can also be a major weakness and source of danger.
In the current economic climate, with unprecedented numbers of employees working from home and accessing systems remotely with little or no supervision, such concerns have become particularly acute. There has never been a better time to recognise that the confidential data within your IT system may be at risk and that you need to take appropriate measures to secure it.
The measures you put in place should fit the needs of your particular business. They don’t necessarily have to be expensive or onerous and may even be free or readily available within the IT system you already operate.
Without wishing to state the obvious, your business could suffer serious financial and reputational damage if inadequate security contributes to high profile incidents of data loss or theft at the hands of your company’s own workforce.
There are, however, a number of practical steps that you can take to prevent such data breaches or limit the damage if they do occur:
Assess the risks
Consider how valuable, sensitive or confidential your data is and what damage could be caused to your business in the event of a security breach. How has this changed in the current remote working environment? A clear risk assessment will help you to choose the most appropriate security measures for your business needs.
You could also take this a step further and undertake the Government-backed assessment scheme, Cyber Essentials (or Cyber Essentials Plus). This will lead to an independent certification that you have the basic protections in place and will be able to protect against the most common types of attack.
Employee awareness and training
Employees at all levels should be aware of their roles and responsibilities. A thorough and well-communicated set of company policies and procedures is a must. These should dictate the use of company systems, electronic devices and the transfer of confidential information. You should also train your staff to recognise threats to IT security – be that external threats or internal threats from their own colleagues.
Such training should not be neglected in the current environment. In fact, the pandemic has seen increased use of online training modules, which can be a great tool to keep your employees sufficiently informed and aware of the current threats and risks.
Limit and monitor access
Ensure that access to databases, confidential and sensitive company data is only granted to those employees who need such access. Each user should have their own username and password and passwords should be regularly changed and updated.
Employees who have decided to leave your business present a particular risk, as their interests will no longer be aligned with yours. Such employees may be expected to make an immediate impact at their new place of work and, in the final weeks or months of their current employment, they may face the inevitable temptation of looking after their own interests rather than those of their current employer.
One common way that employees may seek to take confidential information from a business is by logging into their work e-mails or by accessing company systems after they leave. In particular, with increased homeworking it may be the case that employees remain in possession of their IT equipment for a period of time after they actually leave the business. You should therefore ensure that you swiftly disable access to computers, servers and databases for ex-employees or members of staff who are absent for long periods. You should also disable access to any handheld devices and secure the return of those devices as quickly as possible.
Another practice which is often seen with departing employees is the forwarding of confidential information to personal web-based email accounts, which can take place once that employee has decided to leave. This sort of conduct, when discovered after employees have left, has led to numerous disputes that have occupied the courts over recent years. However, prevention is often better than cure. You should therefore have clear policies in place which explain acceptable e-mail use and make it clear that such behaviour will not be tolerated. It is also sensible to make it clear in your policy, which should be read and accepted by employees in writing, that e-mail usage will be monitored to ensure compliance. Your existing IT systems may already identify processing or downloads of large volumes of data. If not, they can usually be adapted to do so.
Responding to data theft incidents
If you suspect or you are faced with a data theft incident from someone within your own organisation, employing the correct practices at the outset is crucial. A small investment in knowledge and understanding could make all the difference between getting it right (and catching the culprits and retrieving your data) and getting it wrong.
Our top tips include:
- Engage legal advisors early. This will help to maintain legal professional privilege in any investigation and ensure that any response strategy is managed correctly. This is particularly important where the culprits may be current employees, as they will have employment rights that need to be considered. You will also need to manage the risks of tipping off the suspected culprit too early, which can lead to the destruction of evidence and early dissemination of the stolen data.
- Consider specialist forensic assistance. This is often where many businesses go wrong - even turning a computer on can alter or destroy “metadata” (i.e. data about data) which may have proved vital in gathering helpful evidence of wrongdoing.
- Decide who within your business will be responsible for investigating the incident in conjunction with any lawyers or specialists. It is sensible to limit the number of people involved. Particular care should be taken when the suspected culprit is a very senior employee, for example an individual who holds a position on the company’s Board.
- Identify as soon as possible what data has been taken and whether it triggers any obligations for the company, for example any notification obligations to the Information Commissioner’s Office under the GDPR. If there are such obligations, you won’t have long to react.
- Once you have identified the culprits or suspected culprits, make sure you understand their restrictions and obligations – what contracts / policies do you have in place?
- Consider and understand the available evidence before taking action, albeit recognise that you may need to act swiftly to limit any dissemination of misappropriated data. This is often a careful balancing exercise, particularly when you are considering applying for urgent interim relief through the courts. You will need to have gathered sufficient evidence to secure a successful outcome to the application, but taking too long to gather that evidence and delaying the application may cause the court to find against you anyway.