Working with the enemy: how vulnerable is your confidential data?

Rance Anthony

As we approach the half-way point of National Cyber Security Awareness Month, Anthony Rance, commercial litigation associate at Watson Burton provides a timely reminder of the dangers of leaving your IT systems open to attack from within.

Does this scenario sound familiar?  Your company loses a key employee, who had previously been trusted with access to your confidential customer database.  He departs on seemingly good terms, only for you to discover that customers start leaving for his new business venture in their droves.  Upon investigation it transpires that he has in fact walked off with a copy of your confidential database and is now using it to divert business away from your company.

If this scenario does sound all too familiar, then you might take cold comfort from the fact that many businesses across the country have suffered the same fate at one time or another, since this type of data theft can be alarmingly easy to perpetrate.

There are, however, several things you can do to protect your company’s confidential data from falling into the wrong hands…

  • First, assess your IT systems and understand where there may be risks and vulnerabilities. How valuable, sensitive or confidential is the data within it and what damage could be caused to your business in the event of a security breach? It is important to have a clear handle on the answers to these questions before deciding on the most appropriate security measures to deploy.
  • Make sure your employees are all signed up to written employment contracts, which contain a clear and robust definition of what constitutes the company’s “Confidential Information”.  In addition, consider whether any further contractual restrictions are necessary for those employees in a senior role, or with access to particularly sensitive data.  People rarely take the time to focus on the fine print until it is too late.
  • Invest in employee training and awareness.  A thorough and well communicated set of company policies and procedures should let your employees know what their roles and responsibilities are and what they can and cannot do.   For example, policies may lay down guidelines for accessing company IT systems remotely or for working on confidential documents whilst on the move.
  • Consider who needs access to the company’s data and set permissions accordingly.  For example, an employee in your company’s sales team may not need access to financial information about the whole company.  An admin clerk is unlikely to need access to the company’s client list.  Each user should also have their own username and password, which should be regularly changed and updated.
  • Be wary of departing employees.  Whilst this is not to say that you should overlook the contribution they may have made to your business, the fact remains that they no longer have a vested interest in its success.  Common ways that departing employees take confidential information is by sending data to their personal e-mail accounts before they leave, downloading data to a portable device or by logging into company systems after they have left.  You should therefore ensure that you disable access to computers, servers and databases for ex-employees as soon as possible.
  • If the worst happens and you suspect or are faced with a data theft incident, employing the correct practices at the outset is crucial.  A small investment in knowledge and understanding could make all the difference between getting it right (and catching the culprit and retrieving your data) and getting it wrong.  In particular, consider whether legal advice is necessary (it usually helps!) and also specialist forensic assistance. This is often where many businesses go wrong – even turning a computer on can alter or destroy “metadata” (i.e. data about data) which may have proved vital and will be lost once overwritten.

These measures are by no means bullet-proof and rogue employees will always try and devise new ways to beat the system and get the upper hand.  However, they should go some way to protecting your IT systems from an attack from the inside and may just save you from answering “yes” to the question posed at the start of this article.

Related Insight