UK & Europe
Cyber-attacks, which can wipe-out IT systems and cause huge financial loss, pose a serious threat to organisations and are on the rise.
A recent independent report which surveyed organisations across North America, Europe and Asia/Pacific, found that 52% of executives said employees are the biggest threat to their operational security. Cybersecurity and risk management is not something that can simply be handed over to the IT department. It requires engagement at all levels. In this article, we explore how employees, inadvertently or otherwise, can contribute to cybercrime risk and make some suggestions for employers to put into practice to manage and mitigate this risk.
The UK Government Cyber Security Breaches Survey 2021 reports that one of the consistent lessons arising from its research is the importance of staff vigilance, given that the vast majority of cyber breaches and attacks being identified involve malicious activity via staff members’ user accounts.
Recent high-profile data breaches involving retailers, hoteliers and airlines show the impact employee error can have, when combined with insufficient security systems. For instance, in January 2020, attackers compromised two Marriott employees’ user details and logged into one of the hotel chain’s third-party applications. The attackers gained access to 5.2 million records of Marriott guests. In relation to a separate earlier incident, Marriott received a fine of £18.4 million from the Information Commissioner’s Office (ICO) for failing to keep personal data secure. More recently the Colonial Pipeline hack in the US involved malicious cyber attackers who were able to use compromised employee user account credentials to gain access to the IT environment.
Cyber risks arising from COVID-19
Changes in working practices that have accompanied the COVID-19 pandemic are likely to be with us for the long term and have led to an increase in cyber breaches.
In March 2020, the UK’s National Cyber Security Centre published guidance to organisations to support secure homeworking as it acknowledged that encouraging, or requiring, staff to work from home will present new cyber security challenges. Remote workers may need to use new, unfamiliar software, employees may become more distracted when working from home, staff may be sending company information to a personal email account and multiple family members may be using the same device (for work video calls, home schooling, gaming, video streaming). Any one of these examples may leave a device used at home more vulnerable to a cyber-attack. For example, personal email is often not as secure as company email. Additionally, the use of personal devices which may not be as secure to log-on to an employer’s network, can also compromise security.
There are also many COVID-19 related scams now in existence. Google says it blocks 18 million COVID-19-related scam emails each day.
Internal cyber risks
The risks to organisations from actions or inactions of employees come from a wide range of factors:
Employee human error
In contrast to the previous section, this involves intentional wrongdoing by an employee who has access to and/or is familiar with the company’s IT systems. For example:
Ensuring IT security resilience
Whether a cyber-attack results from inadvertent employee error or a malicious act by a rogue employee, organisations should be thinking proactively about the structure, access and management of IT systems, for example:
Impact on employers
A data breach or cyber-attack can have huge impact on employers.
IT infrastructure is a high-value target. The risk to operational control and data integrity from a breach is serious and something which has a high cost in terms of time, financial cost and reputation. The ensuing operational disruption can lead to delays in service delivery for the organisation which can result in a loss of confidence by customers and clients.
In addition to the costs and expenses that are involved in responding to a cyber-attack (such as the cost of restoring IT systems) there is also business interruption loss or the cost of making a potential ransom payment. Organisations can also be subject to regulatory fines and penalties where the cyber-attack involves for instance a data breach. The data protection regulator, for example, imposed a penalty on British Airways of £20 million for having insufficient security measures, allowing hackers to access personal information of customers.
Employers can be found liable by the courts for data breaches of their employees. As noted above, Morrisons was the subject of the UK’s first substantive group action in a cyber and data privacy context. It was a claim made by employees whose personal data had been compromised by a rogue employee. The UK Supreme Court ultimately held that Morrisons was not vicariously liable for the data breach given the employee, Mr Skelton, was not acting in furthering the employer’s business, and his acts were an effort to deliberately harm the employer as part of a vendetta. However, the Supreme Court confirmed that it may be possible in other cases for employees to hold their employer vicariously liable if such conduct is closely connected with acts the employee was authorised to do. Whilst in this instance the employer was not found vicariously liable, the Supreme Court has left the door open for data privacy class actions to be brought against an employer on the grounds of vicarious liability where the data breach resulted from the acts of an employee who was acting in a way that was closely connected with the employer’s business.
It is vitally important to be aware of the law, regulations, and regulators to which your organisation is subject. Under the GDPR, regulators in all countries can hand out very large fines. For example, the data protection regulator in Luxembourg fined Amazon €746 million in July 2021in relation to Amazon’s processing of customer data to personalise advertising.
A cyber breach can also be damaging to an organisation’s brand and can lead to a loss of confidence in the business. This can particularly be the case if the breach is seen to be one that was avoidable. A survey found that in the event of a data breach, 85% of customers are likely to inform others about their experience.
Steps for employers to adopt to mitigate risks
In addition to ensuring an organisation’s IT security system is resilient (as discussed above) it is also important for employers to be prepared and have a plan in place in order to respond swiftly and effectively in the event of a cyber event. This will include considering the following points:
Clyde & Co’s Cyber Risk team has worked on over 3,000 data breaches and cyber incidents including a number of the largest, most high-profile incidents globally to date. Working together with our well-regarded Employment team colleagues, we would be delighted to discuss any queries this article may raise.
We have also helped organisations better understand their cyber risks and can share with you some key tips and considerations. If you would like to receive further information on these key tips and considerations, register your interest here.