Critical digital assets such as personal/company data and financial data that enable e-commerce are becoming increasingly vulnerable due to exponential growth in:
These lead to an increased risk in the compromise of the security of data and/or data breach across all industries globally.
According to an analysis of cybersecurity claims made to the insurance company Chubb in the past ten years, employee-related incidents (insider) account for a significant percentage of the claims. What are internal risks? This is an employee or third-party vendor that has access to a company’s network.
Insider risks can be categorised into:
The most treacherous aspect of insider threats is that the access and activities are coming from trusted systems, and likely undetected. Often malicious employees can even erase evidence of their activities and presence, thus further complicating forensic investigations. In fact, as a combined factor they make up a large part of the cases. .
In the case reported on 18th March 2021, a team leader of a call centre handling technical support for Singtel customers, was guilty and jailed for leaking data of more than 1,000 business accounts of licensed moneylenders to loan sharks. This was then used to carry out loansharking (harassment to collect debt) activities.3
The culprit was able to access- undetected - over a thousand business accounts of licensed moneylenders and pawn shops, even though it was not part of his job scope. The case came to light only when the police received information that a group of data sellers had been selling statements of call details of licensed moneylenders to unlicensed ones.
Not only was there possibly a breach of Information Security Management System controls, but also clearly an unauthorized disclosure of data and for "illegitimate purposes". There is not enough detail to know if the Data Protection Management System has factored in the risk. Whilst it may have been business contact data, the risk of such leakage (and DPMP) would be part of a wider Governance, Risk and Compliance management (GRC) framework.
In addition to security controls, it is usual for employees to have a profile assessment before joining the organisation. For jobs requiring security clearance, a more thorough evaluation of the personnel is required. Such assessments may even be conducted yearly and employees submit annual declarations e.g. financial standing, renewal of Non Disclosure terms etc but they are not foolproof.
These are part of tasks and events under the GRC management to mitigate risks. In fact, it is from the GRC management framework that the organisation identifies such risks, designs ‘intervening’ events and tasks to mitigate them. The organisation can then assess the risks before and after the interventions. As part of the GRC management, organisations need to have drawer plans to address “what if…”. This helps the organisation to strategise a reaction that mitigates any negative impact.
In the area of data protection, organisations would need to have the expertise to manage risks and factor the following in their plans:
Employees can be an organisation’s weakest link, but also its greatest defence. A malicious employee may sell confidential information or even allow attackers entry into the organisation’s network. An ignorant employee may unknowingly leave an “open door” for attackers. However, an employee who is aware of the risks and educated about signs to look out for in a breach is an organisation’s first line of defence. Ensure that employees are familiar with the risks and responses.
In enabling organisations and DPOs to obtain and/or upgrade the relevant data protection skills, consultancy services and training courses are available. The DPEX Network not only provide the basic skill required but a roadmap that enables the DPO to advance his/her knowledge beyond data protection and integrate with GRC and knowledge about international data protection/GRC framework.
Explore the Learning roadmap in:
Do a quick assessment to find out what your organisation needs.
Article By: Leong Wai Chong, CIPM, GRCP
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region
The Info-comm Media Development Authority of Singapore (IMDA) launched the Data…
Every day we are confronted with information on companies that allegedly did th…
It cannot be reiterated enough: personal information is property that belongs t…