The good news is, not likely.
Why do we talk about internal threats when dealing with cyber security? Research shows that about 28% of all data breaches are the result of internal actors. (Verizon 2018 Data Breach Investigations Report)
Most of the internal risks can be placed into three categories: Errors, Misuse, and Intentional.
Errors: We are only human. We all make mistakes – be it a typo, a reply-all, a misdirected email, or a mismatched envelope/mailing label. These happen, but also can carry significant consequences. For instance, you intend to send your law partner, Bob, an email with client information but mistakenly autofill the address as Bob the competitor. Or the dreaded CC’ing of an entire client list!
We have all heard examples of universities emailing protected information to entire student lists instead of to one student. Another example was the Aetna data breach resulting in a $17M settlement where their mailing using window envelopes allowed patients’ names and HIV status to be visible. No one intends any harm or even intends to have these situations occur. There are errors, but those errors can be far from harmless.
Misuse: Ok, I get it. You see Kim Kardashian walking out of your firm and you just have to know why she was there! You won’t tell anyone. You just want to see for yourself. You are not involved in the matter and have no business need to access her file. You just want to take a little peek.
These are very common – especially in the legal, health care, and law enforcement sectors. The temptation to look places you shouldn’t, without any ill intent, can be great. But it can also be a breach of confidentiality and a data breach resulting in headaches and fines for your company/law firm.
Intentional: Do you know how much your data is worth? It is not uncommon for personal records – especially those that can be used for medical or tax filings – to easily fetch $100-$1,000 or more per record. A recent survey of healthcare employees revealed that 18%-21% of them would sell patient data for $500 per record. That is just those who admit they would do so if offered!
It is tempting, especially when you could use some extra cash. (We have talked about insider threats before: defending data from employees, the cyber danger from within, and employee theft.) It can also be easy to justify to themselves given all the data breaches revealed in the past few years and especially after the Equifax breach…how would they trace it back to you? However, this is not a victimless crime, and this poses a significant risk to your practice.
As we did last week, here are a few tips to help reduce your risk:
- Employee training – early and often!
- Know who has access to your files and when they have access (don’t forget vendors such as cleaning services).
- Restrict access to files (don’t forget the paper ones too!) to only those who need access.
- Consider disabling the removable media drives on your work machines.
- Consider restricting access to web-based file sharing sites and web-based email except for those necessary for business purposes.
- See if your firewall can detect unusual amounts of data being transferred out, or data being transferred to unusual locations.
- Have another set of eyes on mass mailings, mass emails, or postings where there is a risk that a mistake could cause a breach.
- Be aware of changes in behavior in your employees such as being worried about money or suddenly living above their means.
- Employee education – yes, that was #1 as well, it is critical and the best tool in your box!
So no, you have most likely not hired a hacker, but you do need to take steps to ensure the confidentiality of information and discourage crimes of opportunity.
Stay tuned next week for our final installment – a review of hidden liabilities around your home and office.
Have you missed any of our #cybermonday posts?
Check them out here: