Through the Keyhole
28 March 2018
You wouldn’t give your cleaner every single key you own – you’d only give them the keys they need to access the areas of a house or office that require cleaning. Companies can and must apply a similar approach when it comes to safeguarding their information.
People are often the weakest link in an organisation’s information and cyber security. You can have the most advanced technology, but if someone inside the organisation is duped into clicking a malicious link in a phishing email or plugs in a USB stick they found lying outside the building, these technological protections can be rendered useless in the time it takes to tie your shoelaces.
A significant proportion of matters that Schillings is involved in, whether that be a reputational issue affecting a company or a breach of privacy affecting an individual, involve a malicious insider. The malicious insider can take many forms: a disgruntled former employee, a current employee with a grievance or financial problems or someone who has been planted inside the organisation by a detractor to gather information, intelligence and evidence in order to discredit, disrupt or attack.
The scourge of the Insider Threat cannot always be avoided, but giving them free and easy access to all of a business’s or family’s information, data, systems and intelligence, can be. A disgruntled former employee does not even need to physically take any private and confidential information in order to cause serious amounts of trouble.
For example; a marketing intern at a FTSE 100 company, with 60,000 thousand employees globally, gets aggrieved when they are told they won’t be getting a permanent contract. They decide to tell an industry blog that they have seen evidence of payments being made to third parties in breach of Anti Money Laundering rules or the Bribery Act. Even though they don’t have any evidence to prove it, the blogger could well publish the intern’s allegations anyway without contacting the company.
Depending on the blog’s credibility and readership, this could of itself cause the company serious problems – bad publicity, regulatory investigations, criminal investigations, loss of customers or business partners and damaged share price. These problems would be exacerbated if the mainstream media were then to pick up on these allegations and run stories based on them or even just reporting on the allegations having been made in the first place.
The company would likely get their auditors, lawyers, investigators and other advisers on board and take the appropriate legal and regulatory steps to confirm that no wrongdoing had occurred. Eventually the truth may come out and the record be set straight, but it does not take long for an issue such as this to snowball and the company find itself firefighting on all fronts and suffering reputational damage; with the insider’s lack of evidence getting lost amongst the noise.
It can be very difficult to categorically disprove an allegation such as this immediately. A legal response is not always going to be a silver bullet. Had the hypothetical company set its systems up to reflect the principle of least privilege – that people only have access to the information that they need to do their job – then the marketing intern would never have been able to get anywhere near payment data in the first place.
Companies, family offices and wealth owners should consider:
- Applying the principle of least privilege. Only give people access to the information they need to do their job without it impacting operational efficiency. If someone doesn’t need certain information, do not allow them access to it. Ensure systems keep an audit trail of who has accessed information, when and what they have done with it, and that it flags when suspicious activity is occurring.
- Training employees and staff to recognise and report suspicious activities – phishing, hacking, blagging, social engineering. People are often the weakest link in the cyber security chain, but they can also be one of the greatest security strengths.
- Ensuring the Insider Threat is factored into hiring decisions. Are sufficient checks done to ensure someone applying for a job is who they say they are? Is the risk of someone turning into a malicious insider a consideration for hiring into particularly senior or sensitive roles?
As Warren Buffett once said “in looking for people to hire, you look for three qualities: integrity, intelligence, and energy. And if you don’t have the first, the other two will kill you. You think about it; it’s true. If you hire somebody without [integrity], you really want them to be dumb and lazy”.