The greatest cyber threat to companies is not, as might commonly be assumed, from outside interference, but from people within the organisation itself – so called "insiders". In the 2016 IBM Cyber Security Intelligence Index, it was reported that 60% of all cyber-attacks were carried out by insiders. Of those, 15.5% were inadvertent (for, by example, clicking virus-containing links), but 44.5% were done maliciously.
For most recruitment companies, their most valuable asset is their database of candidate and client information. Nevertheless, they frequently grant employees of every level wide-ranging access to this most precious of resources, either because they are unaware that there are protective steps that they should be taking to limit access, or simply because they have faith that their employees will not abuse the access given to them. Ultimately, it often boils down to a cultural issue – do you trust employees and believe only the best of them, or do you think that people you know and like may one day betray that trust?
However, businesses should plan on the basis that one day someone trusted will abuse access to data to cause damage to the company. Two fundamental questions businesses need to ask themselves are: (1) who can access the data, and (2) for what purpose? For example, if your organisation covers a wide geographical region, is there any need for employees based in (say) Edinburgh to view candidates or clients based in (say) London? Likewise, if there are individuals assigned to deal with key clients, why allow them access to the whole client database? In short, no one but senior management should be able to access and view the entire database of the company at any one time. They certainly shouldn't need to download it onto a USB stick or email it out of the organisation for any reason. However, in many organisations this is precisely what happens. Determining how, why, when and by whom a database can and should be accessed is a process that requires some careful thinking, ongoing diligence and routine dialogue between management, IT and Human Resources. However, by raising awareness of this issue and keeping it under review, you can safely ring-fence important data assets, thereby mitigating the financial and reputational risks associated with large-scale data loss. It is not uncommon for businesses to suffer adverse PR, lose advantage to competitors, and face fines from regulators when data is taken.
Should your database be taken, there are a variety of legal tools that can be used in order to get it back, including search orders and other injunctive remedies. We have enacted specific legislation in this country to help combat database infringement. Pursuing and bringing actions against insiders also carries with it an important PR message: telling data thieves that they will not get away with it and will suffer financial penalties if caught often prevents further attacks from insiders in the future. However, it is best to take simple steps to safeguard your data before it's stolen rather than trying to close the stable doors after the horse has bolted.