Mitigating a Data Breach: Insider Threats - Episode 1 - why insider threats must not fall under the radar


Welcome to the first episode of our Mitigating a Data Breach: Insider Threats podcast series. In this series of 3 podcasts, members of the Travers Smith Cybersecurity team, Technology & Commercial Transactions Partner James Longster, Employment Partner Adam Wyman and Dispute Resolution Senior Counsel Rachel Wilson, take a look at what happens in the aftermath of a data breach. They focus on cybersecurity threats originating from within an organisation or its supply chain and discuss how to mitigate their impact.

In the first episode of the series, James, Adam and Rachel look at why it's important not to allow internal cybersecurity threats to fall under the radar, and what preparation can help your business to achieve a better outcome when a data breach occurs.

"Mitigating a Data Breach: Insider Threats" is a short series hosted by From Travers Smith, a collection of episodes and audio versions of our briefings across a broad range of topics, from asset management to technology via CSR and ESG.

Listen on Apple Podcasts


Disclaimer: Transcripts are autogenerated and so may not be 100% accurate. For corrections please contact us.

James Longster 00:00:04:01 - 00:00:23:09
Hi. I'm James Longster, a partner in Travers Smith's commercial IP and technology department. I'm part of Travers Smith's cyber security group. Welcome to our podcast series, Mitigating a Data Breach: Insider Threats. In this series of three podcasts, we look at what happens in the aftermath of a data breach and what organizations can do to mitigate their impact.

James Longster 00:00:24:05 - 00:00:35:04
Throughout the series, I'll be talking with experts from around the firm, Adam Wyman, a partner in our employment department, and Rachel Wilson, who is a senior counsel in our dispute resolution department. Adam, Rachel, thanks for joining.

Adam Wyman 00:00:35:15 - 00:00:36:09
Hello, James.

Rachel Wilson 00:00:37:12 - 00:00:39:10
Hi, James., Adam. Delighted to be here.

James Longster 00:00:40:12 - 00:01:14:00
Great. Good to have you here. And while most of the issues that we will discuss in the series will be relevant to any type of data breach, we've chosen to focus on breaches caused by internal threats, say those caused by people who were authorized to have access to your systems. And in this first episode, we kick off by looking at why it's important not to allow internal threats to fall under the radar, and then what preparation can help your business to achieve a better outcome when a data breach occurs in episode two, we look at the regulatory implications of a data breach and the potential impacts of an employment law perspective.

James Longster 00:01:14:05 - 00:01:36:12
And finally, in episode three, we conclude by discussing potential regulatory action and what types of civil claims your business might face. So Travers Smith helps clients facing data breaches arising from a whole range of causes, many of which are caused by external bad actors rather than by insider threats. So Adam, why the focus today on insider threats?

Adam Wyman 00:01:37:04 - 00:02:02:04
Thanks, James. We don't wish to underplay the damage to bad actors. External to your organization can cause sophisticated denial of service, malware and ransomware attacks in particular can have a devastating impact on business. But it's really important not to underestimate the threat that people internal to your organization or your contractors composed cybersecurity. So we wanted to focus on that human factor today.

Adam Wyman 00:02:03:03 - 00:02:31:05
After all, even where the threat originates from an external source, quite often their routine is via someone who has authorized access to your systems. For example, 94% of malware is delivered via email, according to a report by Verizon Phishing, which, according to the UK government's 2022 Cyber Breach survey, is the form of cyber attack. Most disruptive to business involves external bad actors using social engineering techniques to manipulate your people.

Adam Wyman 00:02:32:04
So often your people are your last line of defence in the context of external threats too.

James Longster 00:02:39:03 - 00:03:07:07
I completely agree. And just to illustrate that point, last October we saw the ICO find into server construction company 4.4 million for failing to keep its staff data safe. Now, that cyber attack came about due to a phishing email forwarded by one employee to another. The second employee opened it and downloaded its contents. This resulted in the installation of malware onto the employee's workstation and hacker compromised 283 systems and six accounts and 133,000 staff were affected.

Rachel Wilson 00:03:08:15 - 00:03:33:06
One thing that surprised me in the Global Risks Report, which the World Economic Forum publishes, was the stat that insider threats represent 43% of all data breaches, whether intentional or accidental. That figure is obviously quite high, and I thought it would be helpful to break down some examples of the types of internal threats that we see. It might be helpful to start by considering a few examples of malicious activity.

Rachel Wilson 00:03:34:02 - 00:03:55:04
A perpetrator might be a disgruntled employee or an ex-employee who is motivated by revenge or a desire to sabotage the company. We also encounter perpetrators who are trying to defraud a company with a view to financial gain. We sometimes see instances of IP theft, for example, an employee looking to sell or use the company's IP and trade secrets.

Rachel Wilson 00:03:55:11 - 00:04:22:12
And finally, an individual might be spying on the company, for example, for a competitor. More frequently, insider threats can be attributable to simple human error. People sometimes make mistakes. And in fact, the vast majority of cybersecurity breaches can be tracked back in some way or other to human error. According to the Global Risks Report, which I mentioned, human error is a feature in 95% of cybersecurity breaches.

Rachel Wilson 00:04:23:09 - 00:04:52:05
As to how this manifests in practice, we've already mentioned phishing and social engineering. People sometimes use unauthorized devices or software, and this poses a risk for companies as these may contain malware or backdoors which create vulnerabilities. A company's tech team might fail to apply a security patch, or there may be a loss of company devices. And of course, the risk of a human error to create vulnerability isn't isolated to a company's staff.

Rachel Wilson 00:04:52:12 - 00:04:56:01
It can occur anywhere within a supply chain and still have an impact.

Adam Wyman 00:04:56:15 - 00:05:23:12
Absolutely. And the challenge with insider threats, particularly malicious activity, is that it's generally more difficult to detect a breach where the person has legitimate access to your systems. And of course, they're more likely to know where your valuable information is kept than outside of an outsider. Moreover, changes in working practices since the pandemic has significantly increased businesses vulnerability to cybersecurity breaches so remote working that has become the new normal.

Adam Wyman 00:05:23:12 - 00:05:34:08
The fact that 45% of businesses are applying your own device policies and digitalization of businesses increase dependency on third party tech providers and of course, supplier consolidation.

Rachel Wilson 00:05:35:10 - 00:06:12:02
Yes, I remember when Twitter staff were targeted by cybercriminals when they started working from home. In 2020, hackers gathered information about key Homeworking employees, then called them up impersonating Twitter's I.T. department and persuaded the employees to input their VPN logins to a fake page, which the hackers then used to access Twitter's real VPN sites. Using that information, the cybercriminals then logged onto Twitter's admin tools and changed the passwords of 130 high profile accounts for individuals like Joe Biden and Kanye West, which they then used to conduct a Bitcoin scam.

Rachel Wilson 00:06:13:08 - 00:06:38:09
I think the fact that more people have been moving jobs post pandemic inflation and the cost of living crisis are all factors which might drive that behaviors and increase the insider threat risks for companies. There's definitely a heightened risk, which requires additional caution around any disciplinary or termination process. In that context, we were talking earlier, James, about a real life example of an insider threat which hit the headlines.

James Longster 00:06:39:09 - 00:07:02:13
Yeah, we were indeed, Rachel. And you're referring to perhaps one of the most publicized data breaches of relatively recent times being the data breach suffered by the supermarket chain Morrisons in 2014. So to set the scene is the day that your financial results are due to be announced. You're contacted by a national newspaper to whom an anonymous concerned member of the public has sent CDs of a file containing the payroll data of your employees.

James Longster 00:07:03:02 - 00:07:32:06
Almost 100,000, as it turns out, which the source claims are also available on a publicly accessible file sharing website. Now, fortunately, Morrisons responded well. Within hours, they'd taken steps to remove the data from the Internet, instigated internal investigations and informed the police. And later one of their employees was arrested. It transpired that he'd harboured a grudge following a previous disciplinary action for minor misconduct five months before he'd surreptitiously coffee the file from his work laptop to a USB stick.

James Longster 00:07:32:06 - 00:07:47:09
And a couple of months after that, he uploaded them to the public website. Now he'd gone to some lengths to cover his tracks, using software to mask the identity of his computer. A pay as you go mobile phone, as well as setting up a false email account in the name of a fellow employee whom he'd attempted to incriminate.

James Longster 00:07:48:02 - 00:07:58:14
He was later convicted of offenses under the Computer Misuse Act and the data Protection Act 1998, which is, as I'm sure you all know, the predecessor to the GDPR. He was also sentenced to eight years in prison.

Rachel Wilson 00:08:00:03 - 00:08:27:00
That's quite a grudge. I remember reading that Morrisons spent nearly £2.3 million in dealing with just the immediate aftermath of the data breach. And a significant part of that was spent on identity protection measures. The Morrisons employees now, although the ICO investigated Morrisons, was found not to have breached the data protection Act. It nevertheless subsequently faced a class action from more than 9000 of its workers.

Rachel Wilson 00:08:27:08 - 00:08:34:11
Morrisons won, but only eventually the case actually ended up in the Supreme Courts and will return to that in later episodes.

James Longster 00:08:36:00 - 00:08:55:06
Yeah, so hopefully we've set the scene for why a focus on insider threats and the role of staff in averting external threats should be a boardroom priority. So if the worst occurs, how can you manage fallout from a data breach and achieve a better outcome for your company and customers? First of all, it's important to remember that preparation really is key.

James Longster 00:08:55:10 - 00:09:20:09
So let's say you're in that Morrisons situation. It's important to act quickly, as Morrisons absolutely did, to identify and contain the issues and meet notification deadlines, even if you are found to have breached responsibilities. Responding quickly and well can impact the level of fines, help manage reputational damage, and maintain the trust of individuals who were impacted. Now that means having a response strategy already in place.

James Longster 00:09:20:09 - 00:09:46:00
So before a data breach, you would ideally have appointed a response team which would include senior execs. It complaints or risk people from comms and in-house legal, and that team should ideally also include external contacts. So you'll all want to have established relationships with forensic investigators to identify the cause of the incident and of course, your external lawyers, so that you can pull them in straightaway to help you identify the legal implications.

James Longster 00:09:46:06 - 00:10:15:07
Advise on notification strategy and potentially to ensure that communications with other advisors are privileged. So you've got your team assembled, but you would also ideally have a data incident action plan to fall back on, and this would include timelines. Responsibility allocation so that everyone knows what they're doing and when they need to do it by. And we've also found that it's often really beneficial to have a communication strategy in place, particularly given that in some instances the systems you might ordinarily use to communicate are impacted by the breach.

James Longster 00:10:15:14 - 00:10:41:14
Now, above all, from a legal perspective, you need to have appropriate, technical and organized national measures in place to satisfy your obligations to keep data secure under the UK, GDPR or the GDPR if it's relevant and the types of measures that you should put in place will depend on the context. And a deeper dove on that would require a separate podcast series, but it's important to remember that as well as preventing the incident from happening in the first place, prevention being, of course, better than the cure.

James Longster 00:10:42:03 - 00:11:04:04
You'll need measures to mitigate a breach when it occurs, say, for example, systems to spot, track and evidence intrusion from the outset, it's important to have a good data protection practice in place to minimize personal data siloed, encrypted. As the less personal data that is exposed, the smaller your practical risk is. And of course, taking these steps will help you comply with the law.

James Longster 00:11:04:10 - 00:11:25:00
I think this is a point on which people often get confused. The fact that there can be a personal data breach. So that's a security incident affecting the confidentiality, integrity or availability of personal data, but with no actual breach of legislation. And this was the case for Morrisons. That's because they were found to have had in place appropriate security measures.

James Longster 00:11:25:08 - 00:11:41:03
But even if you are found to have breached data protection legislation and it comes to enforcement by a regulator, the question of whether it's a one off incident or evidence of a systemic issue is likely to influence the regulator's response, including if your businesses find the level of that fine.

Adam Wyman 00:11:41:11 - 00:12:01:02
I'd just like to add to the point you made, James, about identifying your response team as well as appointing your response team. It's important to have a plan for how you're going to investigate so that you can quickly ascertain the nature of the issues. We're regularly brought in support clients in those situations, managing the investigation with support from forensic investigators.

Rachel Wilson 00:12:02:00 - 00:12:25:15
Completely agree with that outcome. We've all seen in the work that we do together how important it is to get the investigations piece right and to prepare carefully for it. There's also a privilege point here, which I think is worth mentioning. If you involve lawyers at the outset, it may be possible to cloak any investigative work in legal privilege, which may be important if you do face regulatory or legal action further down the line.

Rachel Wilson 00:12:26:09 - 00:12:51:03
I'd also add that you should haven't appointed a record keeper who's trained in keeping accurate known prejudicial records to document any breach response. It's worth remembering that you were required to record all breaches their effects and all remedial action taken accordingly. Even if you do decide that you don't need to notify the breach to the regulator or to impact data subjects, you should still record the rationale for not doing so.

Adam Wyman 00:12:52:07 - 00:13:17:15
And bringing us back to people. Training staff on cybersecurity risks is essential as well as having clear policies on what is and isn't allowed. It's interesting that the UK Government's 2022 survey found that only 17% of businesses provide training to staff not directly involved in cybersecurity, although that leaps to 61% in large organizations. Just to circle back to your point, James, on The Intercept, 4.4 million, fine.

Adam Wyman 00:13:18:01 - 00:13:35:04
The ICO called out a lack of staff training where ideally you'd also wargame a data breach with your staff in a similar way to competition law domains, training. And it's important to build as the ICO advocates, a culture of trust which encourages self-report incidents rather than trying to cover up their mistakes.

James Longster 00:13:36:10 - 00:13:54:13
Yeah, I completely agree, Adam. If employees fear personal repercussions from a state party flag, then quickly they're less likely to come forward. And that may influence how you handle that kind of error. So that's all for now from me, Adam and Rachel on this episode of The Importance of Not Overlooking Internal Threat Actors and How to Prepare. Thanks for listening.

James Longster 00:13:55:03 - 00:14:05:08
Please join us again soon for the next episode in the series. When we looking at the employment considerations and regulatory backdrop to data breaches caused by internal threats.

Back To Top