Human error – whether this is a technical misjudgment or a clumsy mistake by someone out of their depth – can cause damage and business disruption disproportionate to the original action. It doesn’t take much; a worker who opens a suspect email and lets a virus loose on a crucial IT system, or someone who inputs the wrong information into multiple spreadsheets and bins the original source data. Mistakes happen. There is a limit to what organisations can do, other than try to train staff well, make all employees aware of the best-known risks, put processes in place to catch mistakes early and, once they happen, act to prevent them in future.
Yet organisations may also be exposed to deliberate, malicious behaviour from workers who feel that they have been slighted or are owed something, who want revenge, or who enjoy taking needless and unsanctioned risks. There are plenty of examples.
In 2018 two California-based scientists pleaded guilty to stealing trade secrets, including cancer research potentially worth millions of dollars or more, from pharmaceutical giant GlaxoSmithKline (GSK). They passed these to a government-backed Chinese pharmaceutical company named Renopharma, which one of the conspirators had set up to act as a repository for all the information.
No profession is incorruptible. Last October, supermarket chain Morrisons lost its appeal to overturn a 2017 judgment that found it “vicariously liable” for a malicious data breach caused by a disgruntled senior IT auditor who released the personal and financial details of nearly 100,000 staff. The supermarket chain has said that the breach cost £2m to rectify, after 5,518 former and current employees brought a class action claim against the company in October 2017. Andrew Skelton stole the data, which included names, addresses, National Insurance numbers, bank account details and salaries, and deliberately leaked it online and to local newspapers after managers disciplined him for dealing “legal highs” at work.
Disciplined, but not dismissed, he stole the data as part of a grudge against the company. He was jailed for eight years in 2015, after being found guilty of fraud, securing unauthorised access to computer material and disclosing personal data.
Lawyers acting for the claimants said the data theft meant they were exposed to the risk of identity theft and potential financial loss. They added that the company was also responsible for breaches of privacy, confidence and data protection laws – despite the fact that the UK’s data regulator, the Information Commissioners’ Office, which had originally investigated the case, had found that Morrisons had processes and procedures in place to protect personal data, no harm was done to any data subject and the breach was the criminal act of an employee acting in bad faith.
The case is the first data leak class action in the United Kingdom. No other organisation has ever been held vicariously liable for a data breach in the past 20 years. Morrisons, which claimed in the original trial that it was “an innocent party”, says it will now appeal to the Supreme Court. However, if that appeal fails, those affected will be able to claim compensation for “upset and distress” even without proof of financial loss. Lawyers expect this could result in a multi-million-pound legal bill.
Employee malice and disloyalty may be more common than you expect. For example, identity governance specialist SailPoint’s Market Pulse Survey released in 2018 found that 15 per cent of respondents would sell their company’s passwords (and, as a consequence, the data these could access) in exchange for cash – some for less than US$100.
Sue Andrews, HR director at broker KIS Finance, says that it is a good idea to identify “high risk” employees as quickly as possible – ideally during pre-employment checks overseen by HR. “References aren’t worth the paper they are written on, so you need to look at other ways to determine whether people are suitable for the roles you want to fill,” she says. Psychometric testing can be useful to learn more about what drives particular people or makes them “tick”, she adds. Typical “red flags” to look for include people who are extremely competitive, overly ambitious, or who are committed to achieving results at any cost, as they are more likely to ignore control procedures.
Conversely, it is also worth watching those who are overly helpful, or who are unengaged. “Motivations behind why people ignore rules and deliberately act in risky ways vary. Some people whose actions cause the greatest havoc do it out of company loyalty. Some people who pay bribes to secure contracts do it to secure the company’s future rather than their own fortune, for example,” Andrews warns.
Periodic monitoring is important. “Monitoring and supervision should not feel constant, but employees should know that they will be held to account for conduct breaches or for overstepping the mark,” says Andrews. “Regular one-to-one work reviews can be useful as these give managers an opportunity to discuss the positives and negatives of how people approach tasks and whether these are in step with the organisation’s expectations around behaviour and culture.” Similarly, “360-degree reviews”, in which HR talks to employees’ colleagues, line managers and subordinates, for example, can also provide a fuller picture showing how staff interact with other people. Random interviews can also be helpful.
While malicious employees are an obvious threat, it can be less easy to spot employees who circumvent controls, policies and procedures because they think compliance hampers their jobs. Around a third of respondents to SailPoint’s survey said that they or one of their colleagues had purchased software without the help or knowledge of the IT department so that they could do their jobs more easily, despite knowing that they were breaking the rules. Furthermore, half of all respondents would pin the blame on the IT department if a cyber attack occurred as a result of an employee being hacked, even though they knew that workers were regularly breaking security protocols.
Andrews says that employee risks to the business are “almost inevitable” unless organisations put parameters and controls in place to prevent employees from having access to sensitive material they don’t need and shouldn’t be allowed to take. “The more steps you take to control which employees have access to which systems, data and offices, the better chance you have of preventing accidental or deliberate breaches, theft or sabotage,” she says.
For example, using endpoint computers linked to a server that has no hard drive or facility to plug in a memory stick immediately limits what data can be accessed. Likewise, installing printers that require a log-in and which record what has been printed can prevent employees from walking out with sensitive information. Dual authentication to access specific servers or information can also reduce data breaches or malicious data thefts.
It may also help if the workforce is encouraged to understand “risk” and “compliance” in the same way that internal auditors do (as well as the possible consequences of non-compliance). “The starting point is to motivate the workforce by instilling an understanding of the importance of compliance and avoiding risk to the company and to customers,” says Louise Pasterfield, founder and managing director at compliance training provider Sponge. “If they understand what’s at stake, they will be more vigilant day-to-day,” she says.
When reviewing training and awareness programmes, Pasterfield says that internal auditors should focus on the most important issues that employees need to know. “Don’t bog them down with irrelevant information. They’ll need a grounding in how to identify and respond to potential risks, and in recognising safe and unsafe behaviour. Deliver this essential learning in manageable chunks that’s quick to learn and easy to remember. If learning tips over into dull, then people are less likely to engage.”
While there is an obvious need to look at employees’ personalities, organisations should also look at themselves and examine the cultural tone they set as an example. “More often than not, individuals who cause problems either thrive in, or are born out of, the environment in which they work,” says Andrews. “If the organisation has a reputation for being risky and aggressive, managers and employees soon behave in the same way. That can pose real legal, financial and reputational problems further down the line if such behaviour is not checked and the ‘tone from the top’ does not change.”
This article was first published in Audit & Risk magazine May/June 2019.