Unwitting Accomplices: Employees and vendors—not hackers—pose greatest data breach threat
Often, the phrase “data breach” conjures up images of code-cracking hackers in far-flung locations. In fact, many data breaches are the result of activities much closer to home—preventable mistakes by your own employees or vendors. As businesses increasingly fall prey to cybersecurity attacks, the risks presented by employees and vendors cannot be ignored.
According to information services company Experian, nearly 11 percent of data breaches result from employee negligence, with 30 percent of those due to human error. Seventy-four percent of IT professionals believe that these numbers are even higher—that insiders are responsible for most data breaches. According to a study by cybersecurity company Trustwave, third-party vendors are responsible for 63 percent of data breaches.
Failure to address employee and vendor data security risks can be extremely dangerous to businesses of all sizes. Data breaches are often catastrophic, with nearly 60 percent of small businesses going under within six months of suffering a data breach.
Proactively addressing controllable employee and vendor risks can significantly reduce any company’s exposure to a dangerous data breach.
If basic security standards are not followed, even the most well-intentioned employees can put your organization at risk. Simple things like clicking on a link from an infected website, reusing passwords on multiple accounts, opening or responding to the wrong email, or misplacing a laptop or smartphone can compromise the security of an entire organization.
Alternatively, sound policies and timely education empower your employees to serve as the first line of defense against a data breach, instead of causing the breach.
The development and implementation of a comprehensive information security policy is a critical first step in protecting your organization’s sensitive data and addressing potential employee risk to that data. This policy should (1) address the handling of all information used, processed or held by your organization, (2) classify data based on its importance and sensitivity, and (3) identify technical and procedural measures to protect such data.
Unless all employees are on the same page, even the most air-tight information security policy is useless. Many employees do not see themselves as taking risks and perceive information security as an unnecessary hindrance to their job performance. In fact, executives often pose the greatest risk. A training program that addresses common methods of attack, good information security hygiene, and case studies that illustrate the catastrophic impact of cyberattacks on similar organizations will go far toward making your data safer.
Most businesses rely on numerous outside vendors that handle, or have access to, important or sensitive company information. These can be payment processors or payroll services, or even nightly cleaning crews. Before entering into a new vendor relationship, ascertain the kinds of information the vendor will possess or have access to. Determine the potential consequences in the event that this information is compromised.
From day one, diligently investigate each vendor’s security practices by inquiring how the vendor will process your data, who will have access to your data, and where your data will be stored or processed. Ask if your data will be encrypted (both in transit and at rest), what other technical security measures are used by the vendor to protect your data, whether the vendor has been audited by an independent third-party, and how the vendor conducts its own employee background checks.
Pay close attention to the vendor contract and what it says about vendor responsibility to protect your data. Ensure that the vendor’s security obligations are clearly spelled out. If they are not, ask for a “security addendum” or other documentation that clearly explains such obligations.
Additionally, scrutinize the “limitation of liability” and “indemnification” provisions in your vendor agreement. Some vendors try to drastically limit the amount of their liability in the event of a contractual breach—which could leave your organization without meaningful recourse in the event that your important and sensitive data is compromised.
Finally, make sure your vendor clearly understands which information is important and sensitive to your organization. Payment card information and Social Security numbers are obviously confidential. However, each organization also possesses unique and valuable sets of essential data. Alert your vendors to the fact that this proprietary data must be treated with the same level of care as more obviously confidential data.
Technical security measures obviously are critical in protecting any organization from a data breach. Statistics show, however, that any company’s weakest link is not its technology, but its employees and its vendors. To protect against employee risks, ensure that your organization has an up-to-date information security policy and that your employees are properly trained—making them a security asset, rather than a liability. To protect against vendor risk, make sure that you understand potential risks and put in place adequate security precautions. A proactive approach significantly reduces the odds of suffering a catastrophic data breach.
Daniel D. Hill is a shareholder at Snow Christensen & Martineau. His practice focuses on investment and securities disputes, as well as business and corporate law including cyber security and data breach issues. Robert T. Denny is an attorney at Snow Christensen & Martineau, where he represents clients in a variety of civil litigation matters.