Preventing Self-Induced Cyber Breaches
At the 2017 NetDiligence® Cyber Risk & Privacy Liability Forum, a panel discussed the challenges of breaches created accidentally by employees. The panel included:
- Phillip Gordon – Privacy and Background Check Practice Group, Littler Mendelson P.C.
- Brian Robb – Senior Claims Counsel, Global Cyber and Technology Claims, CNA Insurance
- Erich Kron – Security Awareness Advocate & Technical Evangelist, KnowBe4
- Joe DePaul – Cyber/E&O Practice Leader, Willis Towers Watson
- Rob Vasquez – President and CSO, Clarium Management Services
Accidental breaches by employees are the leading cause of cyber breaches for companies. Employees click on a phishing email or respond to an email impersonating a company executive and the hackers have access to the computer system, obtain company records, and even get funds transferred into false accounts. Some studies show that up to 69% of cyber claims are related to employee driven incidents. There is clearly a disconnect between a company’s cyber security plans and their employees.
Some of the causes of employee security breaches include:
- Lost or stolen devices
- Misdirected email
- Responding to phishing emails
- Clicking on links, attachments in unsolicited emails
- Abuse of privileged access
Organizations that have been impacted by these breaches tend to lack a sharp focus on customers, a strong company image, and comprehensive training on cyber incident prevention. Engaged employees tend to be more aware employees and make a company less susceptible to such issues.
Employee education is the key to preventing these types of breaches. We are starting to see some states and government agencies require employee training as part of their privacy protocols. Checking the box to meet compliance requirements will not make the difference. Instead you need to develop a culture of compliance within the organization. Too many companies rely on their anti-virus software to prevent a problem if an employee clicks on a link or attachment that launches the virus. Instead, they need to be focusing on creating a culture where the employee does not click on the link/attachment without thinking first.
Creating a Culture of Data Stewardship
- Pre-employment background screening and continuous monitoring of employees.
- Robust confidentiality agreements.
- Addressing information security through the employee handbook and in the code of business conduct.
- Establish a robust Bring Your Own Device (BYOD) program.
Many companies are moving toward a BYOD program. As part of this, employers need to have security inscription software installed on the employee’s devices. When an employee exits the corporation, this needs to include removal of any company information from their BYOD.
From a claim coverage issue, if an employee responds to a false email requesting them to provide information or transfer funds, that may not be covered under a cyber policy as there was no system breach to trigger the policy. Instead coverage for such instances may fall under a general crime policy. However, it may also be excluded under the crime policy which often have an exclusion for “voluntary acts”. Employers who lose money because of social engineering emails may find they have no coverage available.