Simple steps to prevent employee data misuse

A version of this article was first published in August 2016.

Data breaches aren’t just caused by shadowy hackers in distant corners of the internet. Often, the risk sits much closer to home.

With cyber-attacks on the rise, most businesses are tightening up their external security. Firewalls, multi-factor authentication, single sign-on and smarter software are all important. But insider threats — fraud, misuse of employee data or simple human error — are still too often overlooked.

Whatever size business you run, from being self-employed to running a multi-location operation, the impact can be serious.

What is insider data misuse?

An insider threat can be a current or former employee, contractor, supplier or service provider with access to your systems.

Sometimes it’s deliberate fraud. Someone downloading sensitive data before leaving to join a competitor or selling payroll data for financial gain, for example.

More often than not, though, it’s accidental. According to the cyber-security company Mimecast, 95% of data breaches are caused by human error. For example, if an employee emails several clients without using BCC, or perhaps sends out a document they shouldn’t. Storing documents on an unsecured device or using an unapproved app to get work done faster also fall into this category.

It’s the things anyone could do, because of a lack of time, thought or process. There’s usually no malice behind it.

Ultimately, the result is the same: sensitive data can end up being exposed.

Why data protection matters for every business

Your business will hold customer data, and if you employ staff, you’ll also hold the personal information of your team, too — contact information, bank details, National Insurance numbers and health data.

For most businesses, employers’ liability insurance is a legal requirement. It’s there to help if an employee is injured or becomes ill because of their work. You may also have public liability insurance, which is designed to cover claims made against you by members of the public for property damage and accidental bodily injury, illness, disease or even death as a result of your work.

But legal responsibility doesn’t stop at physical safety.

You also have a duty to handle the data you hold responsibly. A serious breach could mean:

• Regulatory investigation by the Information Commissioner’s Office (ICO)
• Fines and legal costs
• Reputational damage and loss of trust internally and externally

For financial services businesses, there may also be reporting obligations to the Financial Conduct Authority (FCA).

Put simply, protecting customer and employee data is part of protecting your business.

Simple steps to prevent employee data misuse

You don’t need an enterprise-level IT department to reduce your risk. A few practical in-house steps can go a long way.

Review access regularly

Not everyone in your team needs access to everything. Limit access to payroll, HR records and sensitive documents to those who genuinely need it. And review permissions when someone changes roles or leaves.

Removing access promptly is one of the simplest ways to prevent insider data misuse.

Create clear data handling policies

Make your data handling policies obvious:

• What counts as confidential information
• Where it can be stored
• Which apps and systems are approved
• What’s never acceptable

Keep policies clear and easy to understand. Also, make them easily accessible. Most people don’t misuse data because they’re malicious — they do it because they’re not sure.

Train your team

Short, regular training sessions can help employees:

• Recognise phishing emails
• Use strong passwords
• Avoid insecure file sharing
• Report mistakes quickly

Data protection shouldn’t feel like a tick-box exercise. It should feel like common sense.

Monitor activity appropriately

You don’t need to spy on your workforce. But audit logs and basic monitoring can help you spot unusual behaviour early, like large downloads or repeated access outside normal hours.

Early action can prevent a small mistake from turning into a major breach.

Plan for employee turnover

Employee turnover is a common moment for data loss.

When someone leaves the business, you should have a proper process in place, which includes:

• Disabling system access immediately
• Collecting company devices promptly
• Updating shared passwords
• Reminding them of confidentiality obligations

What to do if you suspect insider fraud

If you believe an employee has committed data fraud or misused confidential information, you should act carefully and quickly.

1. Speak to a legal team, whether in-house or external. Your lawyer can support you through the process and advise whether you need to notify regulators such as the ICO — and, if you operate in financial services, the FCA.
   
2. Prepare an investigation plan. This creates structure and protects you if the situation escalates into litigation or regulatory scrutiny.
   
3. Gather evidence discreetly. Review email records, system logs and access history to understand what was accessed and how.
   

Don’t forget that timing matters. Interviewing too early may mean you lack evidence. Waiting too long could give someone time to cover their tracks.

If data has been taken, consider your options for getting it back. In some cases, a formal legal warning is enough. In more serious situations, you may be able to get a search and seizure order.

Once the immediate issue is resolved, review what happened. From here, you can strengthen processes, improve monitoring and update your training.

Every incident is an opportunity to reduce the risk of the next one. But don’t leave it until there is an incident, which will cost you time, and potentially customer or employee trust.

Protecting your people and your business

Clarity, consistency and common sense go a long way in protecting your data. But insurance can support, too.

Cyber insurance is designed to cover any business operating online or exposed to the internet, as well as the risks that come with storing and handling data when running a business. And while it doesn’t replace strong data protection practices, it forms part of a broader approach to managing risk responsibly.

It’s designed to help with your liability for handling data and can also cover costs linked to cyber extortion, system restoration and public relations support, along with financial losses caused by system downtime. Think of cyber insurance as your last line of defence if hackers break through your existing security measures.

Protecting your business isn’t just about guarding against what’s outside your walls. It’s about looking after what’s inside them too.

You might also be interested in

• Small business cybersecurity guide
• Everything you need to know about GDPR
• How to protect your business against cyber crime