The threat within: How SMEs can protect themselves from light-fingered staff

It hasn’t been an easy time for small businesses. Where once cybercriminals shunned SMEs in favour of larger corporates, the threat landscape has changed drastically in recent years. According to the 2013 Information Security Breaches survey, 87 percent of small businesses had a security breach in the past year. However, while the threat from external attacks is undoubtedly rising – and SMEs are growing increasingly aware of it – another equally serious threat is silently lying in wait: the insider threat.

While almost two thirds of SMEs did report attacks through unauthorised outsiders, an almost equal number reported staff-related security breaches. In fact, 36 percent of the worst security beaches suffered by SMEs over the past year were caused by inadvertent human error – and a further 10 percent by deliberate misuse of systems by staff. These findings paint a worrisome picture – SMEs are now responsible for vast amounts of customer information, including contact details, credit card information and other Personally Identifiable Information (PPI).

While businesses are taking steps to protect themselves against external attacks from cyber criminals, many fail to secure their businesses and customers from staff-related incidents. In fact, 17 percent of small businesses admit to knowing that their staff broke the data protection regulations in the last year – up from 11 percent the previous year. It appears that those leaving a company and ex-employees pose the greatest risk, as recent research found that the number of High Court cases relating to the theft of confidential information soared by 250 percent between 2010 and 2012, with the majority of cases involving ex-employees and SMEs.

From using data to impress a future boss, to selling it on to marketing firms, or stealing intellectual property for their own business plans – employees are taking entire databases with them to use for their own benefit.

For small businesses, this trend causes a major dilemma: while they cannot risk the financial implications and loss of reputation associated with a breach, they also need to tread a fine line between monitoring employees while still giving them the freedom and trust they need to do their job well. So just how can business owners bridge the gap between security and an efficient working environment?

1. Trust is good, control is better. There is no doubt that trust plays a large part in the relationship between employer and employee. Nevertheless it is still important to vet your staff properly and carry out background checks before entrusting them with confidential data.

2. Put it in writing. Be clear from the beginning that company data belongs to you, not the employee. By highlighting this in their employment contract you can ensure they understand that while they may have created or managed the data, it is not theirs for the taking. With these provisions in place you will be in a position to take action in the unlikely event that an employee doesn’t toe the line.

3. Keep control of your data. Anyone working in a business will know that due to the sheer amounts of data processed on a daily basis it is easy to lose track of who is responsible for it and where it is – or should be – stored. An inventory of all data is essential to locate and limit access to sensitive data.

4. Secure mobile devices. Particularly with small businesses, a substantial proportion of the workforce is connected using BYOD devices, meaning employees regularly take data in and out of the office and connect to the network from external locations. To keep the upper hand, employers need to log all devices used by employees – from mobiles and laptops to USB sticks and tablets – and protect network access with VPNs and firewalls.

5. Keep ex-employees out. While most internal leaks will happen unwittingly, the few intentional cases of data theft often involve bitter ex-employees seeking revenge. Ensure you block all access to your network as soon as the employment is terminated to avoid nasty surprises.

Don't miss