Crucial digital assets like company/personal data as well as financial data that enable e-commerce have become more and more vulnerable because of the massive spike in:
- Online transactions
- Variations in terms of regulatory requirements
- Business partnerships
- Outsourcing services
This often leads to increased risks in the compromise of data security or data breach across various industries worldwide. First the organisation can identify and assess its risk through a sound Governance, Risk and Compliance management programme.
The organisation can also follow up with a data protection programme and get itself trustmark certified, known as the Data Protection Trustmark (DPTM) has been introduced to help organisations exhibit responsible and accountable data protection practices.
Essentially, the Data Protection Trustmark (DPTM) certification pits organisations against a series of data protection assessments. Upon passing, the Data Protection Trustmark will be valid for three years.
Internal Risk from Employees
Based on an analysis of cybersecurity claims made to the insurance company Chubb the past decade, insider or employee-related incidents account for a huge percentage of the claims. So what are internal risks? Essentially, it’s a third-party or employee vendor that has access to the company’s network.
Insider risk are categorised into the following:
Unintentional human error. This is where untrained or careless staff commit mistakes that cause a breach. These mistakes can be very expensive. Some classic examples of unintentional human error include stolen devices, misaddressed emails, confidential data that are sent to home systems that are not secure.
Rogue or malicious employees. Malicious or rogue employees have an intent to steal or cause damage. They can steal valuable or sensitive data for commercial gain. Others may have a vendetta against the organisation.
Cyber attack or hacking (from deliberate cooperation by the insider or those that arise from errors). More often than not, the organisation’s system is compromised by cybercriminals due to negligence caused by the staff. Through human error, it is possible for hackers to hijack identities through unsuspecting employee accounts.
They can occur when the organisation does not have a solid data protection security policy. In addition, staff that are untrained or unaware of the security policies and risks may allow phishing attacks or malware through their accounts. Some hackers can also leverage stolen credentials especially by obtaining data from social networks.
The activities and access coming from trusted systems (and likely undetected) is one of the most treacherous aspects of insider threats. Oftentimes, malicious employees can also erase evidence of their presence and activities. This further complicates forensic investigations.
Governance, Compliance and Risk
Aside from security controls, it is typical for employees to have a profile assessment prior to joining an organisation. For jobs that require security clearance, a thorough evaluation of the personnel is needed. Similar assessments may be done annually.
Employees will also be required to submit annual declarations like the renewal of non- disclosure terms or financial standing. However, they are not always foolproof. These are considered part of the events and tasks under the GRC management in order to mitigate the risks.
From the GRC management framework, the organisation determines the risks, designs possible intervening events as well as tasks that can mitigate them. From there, the organisation can assess any risks that occur before and after the interventions.
Organisations also need to have drawer plans to address “what if” scenarios as part of the GRC management. This can help the organisation to strategise a reaction that can mitigate any negative impact.
In the area of data protection, organisations need to have the expertise needed to manage the risk and consider including the following in their plans:
- Understanding of data protection ethics and regulations (especially in data and process automation)
- Setting up a governance, risk, compliance management programme
- Third-party and policy management
- Business continuity management
- Managing stakeholders and team performance
- Crisis communication plan and managing team performance