Cybercrime – are your employees a threat to operational security?

Cyber-attacks, which can wipe-out IT systems and cause huge financial loss, pose a serious threat to organisations and are on the rise.

A recent independent report[1] which surveyed organisations across North America, Europe and Asia/Pacific, found that 52% of executives said employees are the biggest threat to their operational security. Cybersecurity and risk management is not something that can simply be handed over to the IT department. It requires engagement at all levels. In this article, we explore how employees, inadvertently or otherwise, can contribute to cybercrime risk and make some suggestions for employers to put into practice to manage and mitigate this risk. 

The UK Government Cyber Security Breaches Survey 2021[2] reports that one of the consistent lessons arising from its research is the importance of staff vigilance, given that the vast majority of cyber breaches and attacks being identified involve malicious activity via staff members’ user accounts.

Recent high-profile data breaches involving retailers, hoteliers and airlines show the impact employee error can have, when combined with insufficient security systems. For instance, in January 2020, attackers compromised two Marriott employees’ user details and logged into one of the hotel chain’s third-party applications. The attackers gained access to 5.2 million records of Marriott guests. In relation to a separate earlier incident, Marriott received a fine of £18.4 million from the Information Commissioner’s Office (ICO) for failing to keep personal data secure. More recently the Colonial Pipeline hack in the US involved malicious cyber attackers who were able to use compromised employee user account credentials to gain access to the IT environment.

Cyber risks arising from COVID-19

Changes in working practices that have accompanied the COVID-19 pandemic are likely to be with us for the long term and have led to an increase in cyber breaches.

In March 2020, the UK’s National Cyber Security Centre published guidance to organisations to support secure homeworking as it acknowledged that encouraging, or requiring, staff to work from home will present new cyber security challenges. Remote workers may need to use new, unfamiliar software, employees may become more distracted when working from home, staff may be sending company information to a personal email account and multiple family members may be using the same device (for work video calls, home schooling, gaming, video streaming). Any one of these examples may leave a device used at home more vulnerable to a cyber-attack. For example, personal email is often not as secure as company email. Additionally, the use of personal devices which may not be as secure to log-on to an employer’s network, can also compromise security. 

There are also many COVID-19 related scams now in existence. Google says it blocks 18 million COVID-19-related scam emails each day[3].

Internal cyber risks

The risks to organisations from actions or inactions of employees come from a wide range of factors:

Employee human error

• This includes inadvertently sending sensitive information or personal data to the wrong recipient. Additionally, there is the issue of system misconfiguration where sensitive information is not properly secured, encrypted or password protected, which can result in unauthorised access. It is important to also consider the loss of devices or papers containing sensitive information.
• The key to reducing such risks is by increasing awareness of data security risk with real life examples and giving employees the skills to mitigate the risks. Whilst it will be impossible to completely eradicate human error, it can be greatly reduced with appropriate staff education and ongoing training. A recent government survey found that only 14% of businesses reported that they offered cyber security skills training to employees, although training is more commonplace in larger organisations[4].

​Rogue employees

In contrast to the previous section, this involves intentional wrongdoing by an employee who has access to and/or is familiar with the company’s IT systems. For example:

• In the US in 2018, a Cisco engineer was alleged to have caused $1.4 million in damages when he gained unauthorised access to the company’s cloud infrastructure and deployed malicious code that deleted 456 virtual machines used for Cisco’s WebEx Teams application.
• In the UK in 2013, an IT auditor working at Morrisons Supermarkets, caused a data breach by uploading payroll data of nearly 100,000 staff to the internet, after he had been subject to unrelated disciplinary proceedings.

Ensuring IT security resilience

Whether a cyber-attack results from inadvertent employee error or a malicious act by a rogue employee, organisations should be thinking proactively about the structure, access and management of IT systems, for example:

• Do all employees have administration rights?
• Are employees’ access rights restricted to areas necessary for undertaking their day-to-day work only?
• Has the organisation considered the segregation of company/work-related information from personal information relating to employees’ private lives that an employee may store on devices, which would increase the amount of personal data stored on its systems?
• Do employees use their own personal devices to carry out work-related activities which may not have robust security features, or which may introduce vulnerabilities to the organisation’s IT system?

Impact on employers

A data breach or cyber-attack can have huge impact on employers.

Technical Risk

IT infrastructure is a high-value target. The risk to operational control and data integrity from a breach is serious and something which has a high cost in terms of time, financial cost and reputation. The ensuing operational disruption can lead to delays in service delivery for the organisation which can result in a loss of confidence by customers and clients.

Financial Risk

In addition to the costs and expenses that are involved in responding to a cyber-attack (such as the cost of restoring IT systems) there is also business interruption loss or the cost of making a potential ransom payment. Organisations can also be subject to regulatory fines and penalties where the cyber-attack involves for instance a data breach. The data protection regulator, for example, imposed a penalty on British Airways of £20 million for having insufficient security measures, allowing hackers to access personal information of customers.

Litigation Risk

Employers can be found liable by the courts for data breaches of their employees. As noted above, Morrisons was the subject of the UK’s first substantive group action in a cyber and data privacy context. It was a claim made by employees whose personal data had been compromised by a rogue employee. The UK Supreme Court ultimately held that Morrisons was not vicariously liable for the data breach given the employee, Mr Skelton, was not acting in furthering the employer’s business, and his acts were an effort to deliberately harm the employer as part of a vendetta. However, the Supreme Court confirmed that it may be possible in other cases for employees to hold their employer vicariously liable if such conduct is closely connected with acts the employee was authorised to do. Whilst in this instance the employer was not found vicariously liable, the Supreme Court has left the door open for data privacy class actions to be brought against an employer on the grounds of vicarious liability where the data breach resulted from the acts of an employee who was acting in a way that was closely connected with the employer’s business.

Regulatory Risk

It is vitally important to be aware of the law, regulations, and regulators to which your organisation is subject. Under the GDPR, regulators in all countries can hand out very large fines. For example, the data protection regulator in Luxembourg fined Amazon €746 million in July 2021in relation to Amazon’s processing of customer data  to personalise advertising.

Reputational Risk

A cyber breach can also be damaging to an organisation’s brand and can lead to a loss of confidence in the business. This can particularly be the case if the breach is seen to be one that was avoidable. A survey found that in the event of a data breach, 85% of customers are likely to inform others about their experience.[5]

Steps for employers to adopt to mitigate risks

In addition to ensuring an organisation’s IT security system is resilient (as discussed above) it is also important for employers to be prepared and have a plan in place in order to respond swiftly and effectively in the event of a cyber event. This will include considering the following points:

• Engaging a team of experts (e.g. IT forensic and legal) to not only assist with the remediation, restoration and recovery of IT system and business operation but to head off any downstream risks which include regulatory scrutiny and litigation risks.
• What policies are in place? Often an HR policy will simply state that “information is to be kept confidential” but when informing employees of a cyber breach that has affected the company, it is important to emphasise the confidentiality of the details of such an incident to prevent rumour-mongering and unwanted public scrutiny.
• Consider the flow of information within the organisation. Is it important to be completely transparent with staff, or is it more important to stop any flow of misinformation and therefore ensure that communications are kept to as small a group as possible? Both options likely to have their advantages and it will depend on the specific facts of the security event as to the best approach to take. It is worth bearing in mind that employees may well be anxious and concerned about what has happened to their data, who has access to it, whether there will there be any impact on their day to day activities and whether they will continue to be paid.
• Employees should be on board to manage any client expectations and to provide the necessary assurance to clients that the incident is being handled competently.
• It is key that all employees should be vigilant against any further attacks and must know what to look out for and how to go about reporting any suspicions. Training is key.

Clyde & Co’s Cyber Risk team has worked on over 3,000 data breaches and cyber incidents including a number of the largest, most high-profile incidents globally to date. Working together with our well-regarded Employment team colleagues, we would be delighted to discuss any queries this article may raise.  

We have also helped organisations better understand their cyber risks and can share with you some key tips and considerations. If you would like to receive further information on these key tips and considerations, register your interest here.