In the news last week, the Court of Appeal found that Morrisons Supermarkets should be held liable for a rogue employee’s deliberate disclosure of his colleagues’ personal data. A Senior IT Internal Auditor, Mr Skelton, used his legitimate access to the company’s staff payroll data to copy this data onto a personal USB before going on to upload it into the public domain on a file sharing website. Mr Skelton was acting in a personal grudge against the company due to disciplinary action he had previously been subjected to. While he was convicted and imprisoned for 8 years for his crimes, the Court of Appeal ruled this week that the employer, Morrisons, was vicariously liable for his actions and may have to pay damages to some of the 100,000 Morrisons employees affected by the breach, whose leaked personal data included names, addresses, national insurance numbers, banking and salary information.

This ruling could have enormous consequences for other UK employers, almost all of which have vulnerabilities in their own cyber security, in particular to insider threats from among their own employees. Evidence suggests that between two-thirds and three quarters of all cyber attacks are at least partially a result of insider threat – defined as cyber threats that originate from people within the organization, such as employees, former employees or contractors who have inside information about and access to the organization's security practices, data and computer systems. Likewise a 2017 study by  IBM and X-Force in the US found that 58% of attacks against financial services and 71% of attacks against health care organizations came from inside employees, either maliciously or inadvertently.

Some of these threats will be employees seeking financial gain or doing the bidding of competitors, stealing data as a form of corporate espionage. Others, as in the Morrisons case, will come from disgruntled former or current employees, seeking revenge for perceived injustices at work. While there are some physical security measures employers can put in place to guard against this, such as requiring unique user accounts with two-factor authentication and ensuring employees don’t have more privileged access to your systems than required to do their jobs, there are limits to how much this threat can be mitigated by technical solutions alone. The problem is that, as in the case of Mr Skelton, insider threats can result from employees misusing their legitimate and necessary access to corporate systems and their malicious activities can be hard to distinguish from them doing their regular job.

While good security protocols are important, perhaps the best way to protect against this kind of security threat is through a strong focus on employee engagement. Employees are far less likely to vent their rage and frustration with their employers through acts of malicious sabotage if they have a strong voice in the organisation and other legitimate avenues to seek redress for their grievances. Likewise, line managers who are closely engaged with their teams, listening to feedback and attentive to their employees’ moods and behaviour are far more likely to pick up on potentially disgruntled employees and head off problems before they escalate to this kind of situation. Strong trust between the workforce and management and an expectation that their voice will be listened to and valued will also make co-workers confident to speak up and alert management if they notice concerning behaviour among one of their colleagues. Finally having a strong workplace culture with shared values means that those rare employees motivated by personal greed or external political or social agendas that they wish to promote at the company’s expense are more likely to stand out and be easily identified before they can act.

Insider threat also extends far beyond deliberate and malicious actions – in fact around half of all insider threats result from inadvertent breaches from employees who usually don’t realise the full consequences of what they are doing. Often this is itself a result of poor training and education – something which can reflect deeper problems of poor engagement and a silo mentality where cyber security and IT functions are isolated from strategic management and HR. Often in organisations, employees receive one set of instructions about cyber security from IT or cyber security professionals, and a competing set of priorities around productivity and performance from their line managers, which encourages them to cut corners and ignore time consuming security protocols. Inevitably, the demands from line managers win out and cyber security is compromised. Having a more joined up approach, with cyber security being part of a strong strategic narrative from the top of the organisation which all managers are bought into and actively working to promote, offers a far better likelihood of success. The IPA are keen to work with the National Cyber Security Centre and other organisations to promote better thinking around how to engage with the workforce over cyber security issues. Anyone interested in learning more should get in touch.


Patrick Briône is Head of Policy & Research at the IPA

[email protected]

0207 759 1004