Experts: Employees Commit Most Data Breaches

​HR managers and employers must confront a hard truth: It's not if, but when, their businesses will experience a data breach, experts say.

Most of those breaches won't be committed by nefarious, unknown forces. The damage will instead come from employees.

IBM's 2016 Cyber Security Intelligence Index found that 60 percent of all breaches are carried out by insiders, including current and former employees who—intentionally or unintentionally–take classified or proprietary information with them when they depart.

"It's a huge problem," said Erik Knight, CEO of Simplewan, a cybersecurity business in Phoenix.

Knight said the case of Harold T. Martin III, a former National Security Agency (NSA) contractor suspected of stealing thousands of classified documents, should serve as a wake-up call to managers everywhere.

"The problem is most people think no one will do this. Well, they will do it."

Martin's case became public in October. He was arrested in August, accused of stashing a staggering amount of stolen data over the course of two decades at his home in Glen Burnie, Md. Equivalent to possibly 1 billion pages, the data authorities retrieved from Martin, 51, included the names of intelligence officers who operate undercover outside the United States.

Exiting Employees: Alleviating Risk

Martin's case prompts an important question for all employers to ask themselves: If a secret government agency is struggling to control its employees and contractors, how can corporate HR professionals across the nation reduce their own security risks?

"For large and small organizations, it's important that … any one person, especially a low-level employee, should not be able to have full unrestricted access to everything."

On a positive note, Knight said, cyber theft in the workplace is preventable. "The key [to the] word is 'pre.' HR managers can stop [breaches] before they happen by creating and educating employees on policy and procedures," he said. "For large and small organizations, it's important that the company segments the business, which means [that] any one person, especially a low-level employee, should not be able to have full unrestricted access to everything."

[SHRM members-only resource: Computer, E-mail, and Internet Usage Policy]

IBM found that 44.5 percent of breaches were done maliciously by employees; 15.5 percent were done inadvertently by employees—often allowing hackers in by accidentally opening malware, sending sensitive information to incorrect e-mail addresses or losing a company laptop that is then compromised.

It's still not clear why Martin, who remains in jail on charges of theft of government property and unauthorized retention of classified information, took the material from the NSA. His attorneys claim he was a hoarder. Federal prosecutors say his actions posed a threat to national security. He joins other former government employees Bradley (now Chelsea) Manning, who gave classified information to WikiLeaks in 2010, and Edward Snowden, a former CIA employee who sent classified information to journalists in 2013.

Employees Have More Access than Ever

HR IT managers must recognize and accept that the Internet has transformed the boundaries of the workplace.

"It used to be when you were in the office you had access to things, but when you were outside of the office you didn't. So, when you let go of an employee, you walked them out the door. And they were out," said David Meyer, vice president of product for OneLogin, an identity and access management company based in San Francisco.

Now the lines are blurred, he said. Once the employee has walked out the door, he or she is not necessarily truly gone. "Employees work on the web and on their mobile phones .… They are typing on the phone the moment they walk out of the room you just fired them in."

Martin had been storing classified government defense-related data in his home and inside an unlocked garden shed long before he walked out the doors of the NSA, and for years before the FBI caught him. His employers likely missed strange behavioral signs, according to The New York Times, such as the fact that he had previously been charged with cyberharassment.             

HR Should Educate Employees

Unlike Martin, Snowden and Manning, most employees are not aware they are doing anything wrong when downloading proprietary work to take home, storing classified files to keep safe, bringing home a laptop or even sharing a portfolio of work done at a former company with a new employer, which may be a violation of company policy, Knight said.

HR should also be wary of former employees tricking current workers into divulging proprietary information, known as "social engineering," he added. "That's when a former employee fools a friend still at the company to do something illegal or not appropriate. Maybe it's 'Can you copy my whole desktop and e-mail it to me?' The company usually never knows."

HR managers have to train their employees on proper usage and protection of their workplace computer systems and digital information, and they should set up procedures that block employees from being able to copy that kind of information, Meyer explained.

It's hard to detect the handiwork of "malicious insiders" if HR isn't looking for it. Most of the crimes fall into three categories: fraud, intelligence theft and damage of company computer systems. The first two occur when someone appropriates sensitive intelligence, contacts or data just before leaving the company, usually to sell or share. The latter occurs when a former employee is seeking revenge.

Reducing the Threat

Meyer said employers must look for those signs and set up safeguards before damage is done. One way to safeguard the workplace from terminated employees seeking retribution is to install identity software that removes an employee from digital work applications the moment she sits down to have the separation conversation with an HR manager. "During that meeting, you flip the switch. The moment they walk out of the room, they can't connect to their messaging app because their identity system has been shut down."

While tracking the digital habits of fired employees is smart, employers should also track the habits of employees who resigned. "There's usually been an emotional roller coaster going on there, too."

The key, he said, is to do some detective work on their workplace devices immediately after separation. "Best practice is to look at what they've been up to for the last 90 days" before they left the company. "What have they downloaded? Trace what applications have they been using." And most of all, he said "see if their digital habits have suddenly changed."

New York City-based writer and editor Tatsha Robertson is the creator of The Ordinary Genius Project blog and co-author of Media Circus: A Look at Private Tragedy in the Public Eye (BenBella Books, 2015).

Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.