The Big Cybersecurity Threat: Employees

While data privacy and protection (DPP) laws are not really new to the security and compliance landscape, the General Data Protection Regulation (GDPR) is encouraging organisations to adopt a more formal approach to data privacy and protection. 

To address this, they have the Personal Data Protection Act (PDPA) in Singapore. The PDPA provides a baseline standard of personal data protection in Singapore. The PDPA also regulates the flow of personal data among organisations in the country.

However, nowadays, there are still some companies that are not taking the basic steps to improve data protection readiness. This leaves them vulnerable to breaches that can threaten their existence.

Characters that are looking to steal data from organisations may be proxies for enraged activists, career cybercriminals, and hostile foreign governments. However, what many miss out is they can also be members of the organisation’s own staff.

Unfortunately, not all organisations are prepared to counter inside threats. One of the primary ways organisations guard against insider attacks has been through pre-employment screenings.

Checking references with former employers can bring to light any concerns about the individual’s temperament or reliability. This is especially important for jobs that require security clearance. 

Carrying out criminal record checks can also help you assess if an individual can be trusted with sensitive data. Credit checks can also help gauge financial vulnerability. However, screening is often done only one time. Once the individual has been accepted, they are rarely checked again.

A 2013 UK government study indicated that a staggering 76% of inside attackers did not join a company with the intention of sabotaging the company or stealing data. The decision to act maliciously only came as a result of changes in the employee’s ideology or financial situation.

Moreover, it has also been attributed to the employee’s desire for recognition, poor management, drug and alcohol dependency or negative work experience. Only a mere 6% of the 120 cases that were studied showed that inside attacks were the result of deliberate infiltration.

That said, it has become crucial for organisations to take the role of the Data Protection Officer (DPO) seriously. They should also be provided with the right tools to help them manage what is going on in the subsidiaries and departments of the organisation. Also, special emphasis should be given to employees in operations.

It is important to keep in mind that data breaches often occur on the operational level, by mistake or maliciously. That said, companies should take the following steps to ensure their data are protected from inside attacks:

Ensure You Have a Governance Structure

Appoint a Data Protection Officer (DPO) and establish a governance structure that collaborates with the Privacy Program.

Determine Risks

Ensure process, inventory, compliant, product, and project risks are identified. If not managed, privacy incidents or breaches can happen.

Manage Programmes

Communicate policies and make sure implementation of controls is carried out. Accountability of management and staff should also be achieved.

Maintain Compliance Initiatives

To sustain initiatives, test and train staff and carry out audits on a consistent basis.

Respond to Data Incidents and Subject Requests

Manage and document incidents and breaches and data subject requests.


Finding a balance between verifying if employees are observing information-security policies and trusting employees is an integral part of any cyber-risk management programme. It is also important to remember that getting it wrong can have devastating consequences to your business.

Christopher Campisi