Application Auditing: How to Prevent Internal Data Breaches
Are you aware that 43 percent of company data breaches are internal? A further look into such breaches in a study by Intel Security found that 22 percent were intentional due to workers perceiving their entitlement to use business data for their own purposes. And, 21 percent of internal breaches were unintentional or accidental. So, risk is high regardless of it being motivation or just a mistake.
There are many cases of staff accessing and using data that they are not authorized to see, for example:
In 2014, Andrew Skelton, a bitter former employee of UK supermarket Morrisons, leaked payroll data containing bank account, salary and national insurance information of nearly 10,000 Morrisons employees to news outlets and data sharing sites. The company was sued by 2,000 employees affected by the data breach.
In 2008, German Telco’s Deutsche Telekom security staff violated German data privacy laws by illegally accessing phone call records and billing data of Telekom directors suspected of leaking classified information to the media. The data breach was not only a blow to the directors but impacted the public’s trust in the company to keep personal data safe.
These cases demonstrate how undeterred employees can take advantage of confidential customer data and exploit critical information for malicious or selfish reasons. Could this happen at your company? If there is any hesitation in answering that question, a review of which employees have access to which data should be a priority for you. Don’t put your reputation at the mercy of your employees.
The Legal Impact of Internal Data Breaches
Internal breaches have understandably become a major concern, in particular for the EU but also anyone worldwide dealing with EU citizens’ personal data under the new General Data Protection Regulation (GDPR), adopted by the EU Parliament in April 2016. However, many types of data within a company are considered valuable company assets and, therefore, equally require protection.
If a breach happens after a review of access to data assets, you need to identify the employees involved and resolve it as quickly as possible. Your ability to respond in reasonable time will be considered against the penalties administered under the GDPR, so it’s a wise move to consider how quick response time can be achieved. Of course, monetary penalties are always a motivator to put safeguards in place; however, it’s harder to recover from the published shame on the commissioner’s register and the resultant damaged reputation.
For EU companies, and those conscientious organizations beyond, there are a few key concepts to consider on the road to securing your data business assets, such as Privacy by Design. This is an important concept of the GDPR that considers all aspects of personal-data handling within a system or application. Conducting a Privacy Impact Assessment (PIA), as part of the Privacy by Design concept, would highlight vulnerability to internal data breaches by identifying company roles that could potentially abuse personal data.
Finding the Right Data Privacy Solution
For management to anticipate risks ahead of internal data breaches, companies must have a method to determine which employees have access to applications using personal data and when such access occurs.
Compuware Hiperstation is a data privacy solution that captures and delivers complete, real usage information about who is accessing mainframe applications and how. And, Hiperstation is now integrated with CorreLog—the leading independent software vendor (ISV) for cross-platform IT security log management and correlation—and with Splunk—software that collects and analyzes the wealth of data generated by enterprise IT environments, so companies can much more effectively detect and resolve security and performance issues. This provides one interface for companies to identify the likelihood of data-breach risk across distributed systems and the mainframe at a much deeper level than before.
If your company’s data privacy policies don’t meet the requirements of the GDPR, the consequences of not taking action and a breach occurring will result in a penalty and the loss of business in a world that is paying more attention to data security issues. Reviewing and monitoring your access to data will be a positive reflection of your company in a free market governed by more focus and regulation on the movement and protection of data.
Photo: Mark Warner: Flickr