Much hysteria has been attributed to the “cybersecurity epidemic” and the spotlight has quickly shifted to hackers, crackers, and other threat agents. But there have been considerable studies reporting and confirming that, in actuality, the biggest cybersecurity threats come from within the organisation.

In the 2016 Cyber Security Intelligence Index, IBM reported that 60 per cent of all attacks emanated from internal threat agents. This should not be surprising as, notwithstanding appropriate controls, individuals from within the organisation have direct access to these systems. Employees interact with business systems, on average, eight hours every day, so the risk of comprising computer systems (whether by nefarious means or by human error) increases exponentially.

So what if we ‘de-escalate’ the hype just a bit, take a step back, and consider what role employees could have played in a security breach?

What role do employees

A system does not have to be riddled with errors in order to fall prey to a security breach. It may very well be an effort in futility trying to hack a system with state-of-the-art technology when you can simply apply for a job, get hired, and get the requisite clearance levels to gain access to certain information. It might even be a result of human error. For example, an account manager succumbing to a social engineering or phishing attack that led to them either clicking on a link or disbursing funds to a fraudulent account.

Just this past summer, Huffington Post reported that Alberta’s McEwan University lost CDN$11.8 million after being defrauded by phishing email. Workers were tricked by a series of fake e-mail that asked them to change electronic banking information for one of their vendors. This was not a novel, high-tech, sophisticated, or pure genius security hack. Instead, it was a simple exploit of one of the weakest links in the security chain — employees.

Let the chips fall where they may? Who is really responsible for the breach?

Imagine how the investigation would unfold:

Investigating officer: What happened? How could you let this happen?

Employee: I don’t know; it was an accident. The e-mails seemed legit.

Investigating officer: Were there no controls or procedures in place to verify the veracity of these requests?

Employee: Uhmm…

Where do we go from here?

The above was quite an expensive accident. To what extent should the employee be held accountable for this unfortunate event? The deeper pockets doctrine puts the employer in the best position of ultimate responsibility. But does this mean that employees should not be liable for their presumably careless actions? There doesn’t seem to be a clear answer, but what is true is that it certainly can’t be business as usual.

Consumers are increasingly asking that companies be held responsible for failing to secure the large amounts of personal data they collect and maintain. Rightly so, when they hand over personal information to a corporation there is the expectation that they will take the appropriate steps to safeguard it. In most jurisdictions, the law requires that businesses take “reasonable” steps to ensure that there are appropriate protocols, safeguards, and controls in place. This goes beyond just being technical. It starts with a change in culture. This requires a shift in thinking that cybersecurity is a job solely for the IT department. The reality is that phishing and social engineering attacks are becoming more sophisticated to the point that even security experts are succumbing too.

A Data Protection Act?

Jamaica needs to get ahead of cybersecurity threats and establish architecture with clear penalties for customer information data breaches. Unlike most of our counterparts, we do not yet have legislation that treats specifically with data protection. The simple fact is that much of the data held by certain organisations are sensitive and, if it falls into the wrong hands, could result in fraudulent activities being committed. In addition, it could lead to significant losses to the individuals concerned and could continue to cascade further into unfortunate situations. It also amounts to a breach of that individual’s civil liberties.

Data protection is seen as a fundamental part of any progressive society. The attendant practices should come in the form of responsible guidance on best practices concerning data protection. This, in turn, builds public trust and business confidence as increasingly more entities embark on the use of technology in their processes. This drive to have increased efficiency in operations, fostered by the employment of technological solutions, must never come at the cost of privacy rights. A robust mechanism of data protection will stabilise the pendulum as it swings between public and private sector business activities and the fundamental rights of citizens.

Such pieces of legislation are aimed at safeguarding the privacy of individuals. They also set standards for the collection, transmission manipulation, recording, or storage, and use of customers’ confidential information which may be held by an entity in physical or electronic form. In addition, such legislation establishes rights of individuals to confirm if information concerning them are being used by an entity, including the circumstances under which they are being held. The individual might be empowered to ask that the information be corrected if it is inaccurate, or ask that same be deleted or destroyed, especially if the information being held is unnecessary.

In other jurisdictions, a data controller (people or organisations who hold information about individuals) is barred from sharing information with third parties unless they have obtained consent from the data subject (individuals whose information are held by these entities). What is essential in such an architecture is that citizens are cognisant of how to control how information about them is used or they have an idea of how others utilised the information.

The UK Data Protection Act has a common theme running throughout — holding entities accountable if appropriate systems are not in place to protect data. Organisations must also be mindful of their interaction with third parties and how important it is to ensure that information collected must be relevant and not excessive. The UK has set a high standard, maybe we can follow suit or enact an even more forward-looking piece of legislation.

So while the CEO and the IT department work out the technical stuff, here are some general tips employees can consider in playing their part.

1. Always think thrice, not twice, before clicking: Double check that the e-mail was sent from where it claims to have been. For example, some email clients allow you to full show details of the e-mail message. You are then able to see the real sender of the message — even though the sender’s name may be similar to a trusted sender. Also, refrain from downloading and opening attachments from unknown senders. When in doubt, seek assistance from the IT department.

2. Remember the three Cs — corroborate, corroborate, corroborate: Spear phishing attacks have become more sophisticated. Don’t only give the e-mail a cursory read and assume that because a seemingly legitimate signature or company logo was used the information is credible. Cyber criminals are smart enough to allude to some convincing detail so establish internal protocols to corroborate requests. Don’t be afraid to take up the phone and call to confirm a request as well. An extra five minutes to corroborate a request could potentially save millions.

3. No more ‘password123’: Reasonable steps should be taken to increase the complexity of your passwords. Hackers sometimes carry out “brute-force” attacks. These attacks involve utilising software that carries out thousands of simulations that try to crack your passwords. Some cross-reference with words in the dictionary so the easier the password, the easier it is to crack. Also, refrain from writing down your passwords on sticky notes or in your notepad left lying around your desk.

4. Include cyber goals in individual operational plans: When was the last time you were asked what steps you took to secure the company’s information? Many public servants are required to sign non-disclosure agreements and the Official Secrets Act upon entering the service, but perhaps it’s time that the standard is set a bit higher. The major concentration should be to protect customer data as it were your own. Ongoing cybersecurity training sessions are necessary, but specific targets should also be incorporated into employees’ operational plans so, throughout the quarter, employees know exactly what is expected of them.

Hodine Williams is a Crown counsel in the Cybercrimes Unit of the Office of the Director of Public Prosecutions.