Imagine this scenario: A dual-nationality police officer lives with his wife and children in one country, while his parents live in another. He’s honest, loyal, and passionate about his job. One morning, the officer receives a call from someone in the country where his parents live,threatening to hurt them unless he hands over sensitive information relating to the police force. Facing this ethical dilemma, the officer is stuck. He’s a dual citizen, loyal to thecountry in which he serves, but his only chance to save his parents is to comply with the illegal request.
Every case like this of an employee leaking security-sensitive information is unique, yet each poses a threat to the safety and prosperity of a country. To reduce or even eliminate these leaks, it’s important to understand what drives an employee to carry out such an act in the first place. The reasons why employees leak information are as varied as the information being leaked – financial difficulties, lack of loyalty, employer abuse, or blackmail by an external source.
OLooking on the bright side, organizations can implement processes to detect potential threats during the early stages of recruitment, for example, via security screening. However, behavioural testing is required to detect most signs that someone may be prone to leaking sensitive data. An organisation may choose to use an assessment tool that identifies behavioural risks, loyalty and reliability. While this kind of process is vital to prevent data breaches, regularly following up on employees is even more crucial.
Most news stories about data breaches are sensational ones about terrorists leaking information or white-hat hackers exploited by foreign governments. Reality paints a different picture. According to IBM, 60% of attacks on organizations are internal, and 40% of these are intentional.
The Swedish government are taking steps to prevent such breaches, and they have good cause. In 2017, they announced that contractors in some Eastern European countries, including Romania and Czechia, may have acquired access to Swedish driving-licence records and military information. The Swedish transport agency collaborated with IBM and found the incident was caused by an internal breach atIBM. Regardless of whether the breach was malicious or accidental, it shows the potential severity of an insider data breach.
Due to these kinds of threats to Sweden’s safety, the government is cracking down. They are directing their attention towards the human side of cybersecurity, exemplified by the head of police security’s call for stricter document regulations during security tests. Their main aim is to restrict access to critical information on a need-to-know basis. Going back to our example at the start of the article, employees with dual nationality are of especial concern due to the risk of criminals in the other country using the employee to obtain sensitive information. In light of this threat, the Swedish government is taking the right approach to controlling information leakage.
Paying attention to the human side of cybersecurity is critical not only for the safety of an organization but for an entire nation. Only by tightening processes and checks can the increased prosperity and safety of a nation be assured.