There is no doubt that 2020 has been a strange year, but neither a global pandemic nor catastrophic economic disruption were enough to dissuade criminals from launching cyber-attacks against everything from government bodies to healthcare providers to video gaming companies to cannabis point-of-sale systems.
As much of the world’s population rapidly shifted to work from home models and businesses were forced to transition to remote operations, weaknesses in both security protocols and user training were exposed. Studies suggest that remote workers have caused approximately 20% of the data breaches, data theft and sale incidents, and ransomware outbreaks within organisations this year.
In addition to lax password practices, studies estimate the average household in developed countries owns more than eight Internet-connected devices, and the average household in developing countries owns three, typically using a shared network. This means companies not only have to worry about the risks caused by company-issued devices and VPNs, but also about their remote workers’ personal devices (e.g., computers, smartphones, gaming consoles, smart speakers, security cameras, wearable devices and the like).
It is no secret that where there are connected devices, there is an increased risk, but what about the threats that humans pose to data security?
- In July, consumer credit reporting company Experian South Africa notified the Information Regulator and the National Credit Regulator that it had been deceived into handing over the personal information of millions of people to a person posing as a client. The fact that someone could dupe staff into handing over confidential information points to serious lapses in its systems.
- In late October, South African-based financial services group Absa discovered that a credit analyst in the bank’s employment sold the personal information of 200 000 clients to third parties.
- The Office of the Australian Information Commissioner (OAIC) reported 1 050 data breaches for the 2019-2020 financial year. Most of these breaches were attributed to human error, 317 notifications to malicious or criminal activity, and 14 to the loss of paperwork or storage devices.
The average cost of a data breach in these countries runs between $2.14 and $2.15 million. With expenses including forensic investigations, audits, crisis management, notifications to data subjects and data protection regulators business disruption, system downtime, revenue loss, legal expenses, regulatory fines, reputational damage and more.
What can organisations do to minimise the risk of employees exposing corporate data to bad actors?
“Front your ERP and other critical systems with a mature business process management (BPM) product like FlowCentric Processware”, recommends Denis Bensch, CIO of FlowCentric Technologies.
This approach allows a business to limit the amount of data and the number of systems to which individuals have direct access. When an employee needs to complete a specific task, only the data they require is pulled through from the other systems and displayed via the BPM software’s screens.
There are many advantages to this approach, Bensch explains, including staggering the amount of information that is exposed to a single person, and ensuring that corporate and legislative governance structures are adhered to.
“Every business should have watertight processes in places for the authorisation of any transaction, including the release of information. There also has to be a separation of duties so that no single employee has complete control of an asset (money, data, inventory, etc); cannot singularly authorise the release of that asset; or keep a local copy of the asset or records pertaining to the asset,” Bensch explains.
Limiting access to data reduces complexity for honest workers, while reducing the risk of a bad actor accessing and stealing hundreds or thousands of classified records at a time.