Data is the new oil. So said Clive Humbry, the brains behind the Tesco Clubcard, who fundamentally recognised the value of knowing your customers.
And so with the importance and value placed on this most valuable asset, organisations and IT teams across the globe are well aware of the importance of protecting it.
Notwithstanding the reputational damage and loss of confidence that losing data can have on a brand, there are also the hefty fines that the Information Commissioner’s Office (ICO) can now hand down with the new powers afforded to them with the GDPR.
From lost laptops and portable devices to malware, ransomware and hacks – the risks of suffering a data loss are plentiful, meaning there are a multitude of areas that IT & HR teams need to put controls and policies around.
The uncomfortable risk – your own staff
It’s an uncomfortable truth, but those very people that swipe into the building and log onto your systems and have access to highly confidential information should be considered as a risk to your data.
And so the news that Morrisons has lost its challenge to a High Court ruling that it is liable for a data breach that saw thousands of its employees details posted online, is thought-provoking.
The fact that this data loss was initiated by a member of the Morrisons finance team must make organisations sit up and wonder who has access to our company ‘oil’ and what can we do to protect it, when quite simply they need to have access to be able to perform their job?
Policies are an essential part of data security, but I’m certain Morrisons had some pretty robust policies in place. Yet, that hasn’t stopped a disgruntled Andrew Skelton from leaking confidential employee information.
So what can be done?
There are many sophisticated monitoring tools that can spot unusual activity, prevent large data files from being downloaded, look for outliers and alert IT security staff and fraud departments about staff acting in a suspicious manner. It’s difficult to know what tools were in place at Morrisons, but having a staff member being able to download 100,000 records and post them online does, on the face of it, seem somewhat surprising.
Let’s not forget that what Skelton did was perform a criminal and fraudulent activity, which resulted in him being charged for his crime and sentenced to eight years in prison. However, that still hasn’t prevented Morrisons from being on the receiving end of some unwanted press and the threat of legal action from those affected employees.
Morrisons is appealing the decision by the High Court, and so we will see how this story evolves. If that appeal is unsuccessful, those staff affected by the data leak will then have the option to pursue claims for “upset and distress” caused by the leak.
This could be a costly episode for Morrisons.
It serves as a lesson that we need to face that uncomfortable truth, that there is a real risk of data losses originating from our own staff and it highlights the importance of having the necessary tools in place to monitor and prevent such activity.