Last month two CCTV company employees were jailed for illegally accessing footage of Argentinian footballer Emiliano Sala’s body as it lay in a mortuary. Mr Sala was tragically killed in January when his plane crashed in the English Channel en route to Wales after he’d signed for Cardiff City FC.
His death led to an outpouring of grief from across the world but these dignified condolences were in stark contrast to the sinister and twisted behaviour of Sherry Bray, the director of Wiltshire-based Camera Security Services, and her employee Christopher Ashford. As Mr Sala’s recovered body lay in Bournemouth Borough Mortuary for post-mortem examination, the two accessed and shared footage of the procedure to satisfy what the Swindon Crown Court judge referred to as a “morbid curiosity” when jailing them for their actions.
This case not only raises dark questions about human nature, it also provides an illustration of the consequences that can result when a company’s secure information is misappropriated.
While we’ve seen a number of high-profile stories about businesses and organisations having their data breached from hackers, criminals and other external sources, it is often the “insider threat” and the enemy from within that can pose the biggest risk.
Virtually no business or organisation is immune to this – even software security companies. In June it was reported that California-based McAfee, one of the world’s largest dedicated security technology companies, raised proceedings against three former employees, accusing them of illegally accessing sensitive and confidential data which they allegedly took with them when joining a competitor.
Unlike the two Camera Security Services colleagues who carried out their illegal actions for improper purposes, many breaches can occur unintentionally. I often advise on cases where employees and contractors have copied company data on to a personal laptop or have sent confidential information from their work email to a personal account so they can access it when working out of the office.
Although such actions may be well-intended, they can carry major risk – once confidential information is no longer stored on a company’s secure network, the possibility of its misuse becomes significantly higher. Once it’s out there the information is significantly more vulnerable to malicious use, and a business or organisation has no control over who might access it and where it might ultimately end up.
Essential security steps
There are a number of practical measures which can be used by companies to limit this insider threat. A sensible first step is to set up a system whereby sensitive and confidential data is suitably categorised within a company’s server. If it’s sent outwith the server, a flag is raised within the IT department.
More practical steps include ensuring any employee that works from home can do so either via VPN access to a company laptop or other secure access to their work emails when out of the office. This avoids employees having to send data to personal email accounts to enable them to work from home. Providing colleagues with a secure means of working remotely via the company servers can eliminate the use of its data sitting on personal email accounts where it could be hacked or misused.
Businesses and organisation can also prevent personal devices from being used alongside their internally supplied computers to reduce the transfer of data from USB sticks. My simple advice is non-issued storage devices (including mobile phones) should not be capable of being connected to company computers or laptops.
Whether an internal data breach occurs for improper reasons – as an act of revenge against an employer, an attempt to defraud them or through “morbid curiosity” – or unintentionally, it can result in major harm. Along with the potential reputational damage, under GDPR organisations face fines of up to €20 million (£17m) or 4 per cent of total worldwide annual turnover for breaches.
Businesses that are serious about addressing the internal threat to cybersecurity should adopt and implement effective written policies and maintain staff communications of their significance. Regular training sessions can promote awareness of the risks and, if relevant, the consequences of misusing confidential information. While it’s impossible to eliminate all cybersecurity risk, it can certainly be significantly reduced by taking some of the practical steps outlined above.
Given the remorse expressed by both defendants in the Emiliano Sala case, it is possible that some of these measures could have stopped them from pursuing the unfortunate and distasteful actions that led to their imprisonment.
- Neeraj Thomas, of counsel and intellectual property specialist at law firm CMS