The reputational damage to eBay could hardly be greater. Every single one of its 15 million British users is being required to change their passwords following a security breach. One would expect that a company as large as eBay would have fairly stringent security measures in place. So what kind of highly sophisticated hacking techniques could have been used to bypass their defences?
Well, it was the work of hackers, but it wasn’t as high-tech an operation as many may assume. The information appears to have been accessed through the use of an employee’s log-in details.
On reflection, this is really not very surprising. After all, a company’s data is only as secure as the employees who are permitted to access it. Every company has data that it needs to protect, and in all cases at least some employees are going to need to have access to that data.
What eBay’s experience demonstrates is that no matter how technically secure a system is, as long as employees are able to access it, there will be a risk of the data being misused. So employers need to take appropriate steps to reduce the risk of this happening.
The starting point is to ensure that employees are only given access to information that they reasonably need to carry out their duties. If only a limited number of employees can access the most secure data, this greatly reduces the risk of one careless (or malicious) employee compromising the whole system.
As with so many employee issues, it is also important to have clear and comprehensive staff policies governing employees’ access to company systems. This is usually set out in an IT policy, or sometimes in a more specific Systems Resources policy. The policy should inform employees of the need to keep their login details secure and the rules regarding IT usage should be clearly set out.
Where there is a breach of the policy, it should be dealt with as a serious disciplinary issue. This should be the case even where no loss actually occurs as this will help to prevent complacency among staff.
However, no matter how robust a company’s policy is, it’s unlikely to stop an employee who is intent on misusing their login details – perhaps for personal gain. Therefore, it’s equally important for employees’ IT access and usage to be appropriately monitored.
Again, this monitoring of employees should be clearly set out in the policy. It’s entirely reasonable for employers to monitor employees in these circumstances, but if it isn’t highlighted in a policy, employees could raise concerns regarding privacy. Employees are also far less likely to misuse company data if they know that their actions are being monitored.
No company will ever be able to completely eliminate the possibility of staff carelessly or improperly accessing company data. A strong and well administered policy can reduce the risk of this happening. It can also help to identify any wrongdoing at an early stage and this could drastically reduce any damage caused.
Article by Andrew Crudge, Associate, Thomas Eggar LLP