What can Gospel do to limit the damage of the insider threat?
Last week the UK high court confirmed that Wm Morrisons, the large grocery retailer, was “vicariously liable” for the actions of a former employee who maliciously shared his (now former) colleagues’ details onto the internet, including names, home addresses and salaries. How could technology like Gospel’s help limit the criminal actions of people who deal with data?
It came as a bit of a shock to one of the UK’s largest retailers. They had gone into the court confident that the judges would side with their assertion that one of their former employees had undertaken a criminal act, and therefore they could not be held responsible for the ensuing fallout. The judges felt otherwise, upholding a previous ruling that under vicarious liability companies are deemed ultimately responsible for any actions of an employee that takes place during the course of their employment. They will take the ruling to appeal – but it seems to revolve around the idea that they hadn’t taken enough reasonable steps to prevent the acts carried out by the employee.
As well as having been caught running a substantial eBay business through his workplace, Andrew Skelton had then gone on to download the payroll data of over 100,000 colleagues that he had full access to as a Senior Internal Auditor at the firm. Not only this – he had shared their details over the internet, leaving the victims open to potential identity fraud. For this he was jailed for eight years in 2015. However, the new ruling revolved around a subsequent class action brought by 5,518 Morrison employees for compensation for distress and inconvenience as a result of the leak (the largest ever action in the UK over data leakage).
Morrisons lawyers pointed out that their client had taken reasonable steps (before the new GDPR regulations) to report the incident, take down the data and assure employees any financial loss would be covered. However, the lawyers representing the claimants said that they had a right to expect that the sensitive data they had been obliged to hand over to their employer remain confidential, regardless of any other internal parties’ rogue actions. Effectively, Morrisons hadn’t done enough to prevent the misdeeds in the first place.
Insider threats are difficult to spot
So where does this leave employers? What are reasonable steps to restrict the ability of a bad apple from sabotaging your corporation’s data?
Let’s be realistic, there is only ever so much you can do against an employee with a grudge, especially one that is being harboured beneath the outward impression of being happy and contented. People need to see certain types of data (not just employee data) in order to do their jobs effectively, and within effective organisations, a natural sense of trust grows organically as you collaborate and work within teams to achieve common goals for both you and your customers.
In fact, if this didn’t exist it would be a pretty miserable place to work –if you don’t feel trusted as an individual in your role it can be a hurtful and demoralizing experience.
Trying to double down on security protocols and burying the data behind silo walls have long been the traditional way of trying to prevent data leaks.
Trying to double down on security protocols and burying the data behind silo walls have long been the traditional way of trying to prevent data leaks. However, modern enterprises need to be sharing data with other departments and third-party outsourcers in order to both take advantage of the insights they give and to effect efficient operations. This data paradox means either data is unusable or inaccessible for collaboration, or the protocols are simply ignored and the data is shared anyway – completely out of the control of the organisation.
Duncan Brown, Associate Vice President of European Infrastructure and Security at IDC told Gospel; “Even though the drive to become digitally transformed is there, around three-quarters of projects have stalled because large organisations are simply unable to share data securely. They are ‘digitally distressed’. Not only is this inability to create trusted data costly for their businesses, it presents a real existential threat to their very existence.”
Reducing the attack surface
The answer must lie in the access to data you allow any one individual at any one time. If they are not given access to large amounts of data in the first place, they cannot be responsible for what happens to it – deliberate or otherwise. No-one is singled out as untrustworthy – it’s simply a case of only seeing what you need to complete your particular task. Higher-level aggregated reporting or communicating can still be done without the need for total exposure to the granular detail.
This way the control is back in the hands of the employer as a whole, not individual employees, especially important across silo boundaries and outside of an organisation’s perimeters where business process outsourcing exponentially increases the risk of exposure.
Access to the granular information on individual records is achieved through a private blockchain but strictly controlled through consensus technology
Take a third-party travel agent working for a large company. They only need certain details of an individual at any one time to book them a flight for a business trip, for example. They do NOT need access to ALL the employee information to trawl through, and likewise they do not need a staff member at the employer’s end to collate such a bundle of information for them. Both these scenarios of course carry risk of said information falling into the wrong hands and causing damage.
Gospel works on this principle – the access to the granular information on individual records is achieved through a private blockchain but strictly controlled through consensus technology – satisfying those who need the individual record information but also the requirements to keep the records as a whole protected and confidential as much as possible. The access can be controlled right down to individual field level, and even protected through indirect confirmation (e.g. is this employee over 21? Y/N).
What you don’t know can’t hurt you (or someone else)
Let’s look again at our Morrisons scenario through the eyes of Gospel. Providing Gospel is the proprietary data source of record (and not the HR systems) then yes, as Senior Internal Auditor he could be given access to all those individual records that he had before – but not ever in a downloadable bulk format. There’s nothing to stop him screen grabbing or photographing 100,000 records – but it would take a heck of a long time – and would surely act as a deterrent to going through such an exercise. A timeline of activity related to those records would also exist.
Further, the blockchain holds an immutable record of all transactions undertaken on the data. Not only would this record any authorised access to data that could be traced back to an individual, it would also record any attempted access that was subsequently refused by the consensus mechanism.
And that’s the crux. Trust is both a human and a mathematical concept. Betrayal is never something an algorithm would do but is the risk you take with any human needing to interact with sensitive data to complete a task. You will never fully automate these interactions (unless you want an algorithm to asses performance and sign off pay rises!) but the less opportunity you give to individuals to betray your trust, the better for everyone concerned.
It’s important to remember that the majority of data leaks are not from malicious internal sabotage – they are often through innocent mistakes or naivety in handling data. Trust your employees to do a good job, but don’t trust them with more of your company data than they need – that way as their employer you will protect them from themselves.
Rob Paton is Brand Consultant at Gospel Technology.
For a 90 second summary of Gospel click here.
For an in-depth overview of the Gospel solution click here.
Ask the team – many of your questions answered.