IT Security for New Zealand Businesses – The threat within

10 July 2018

Data protection is the process of safeguarding important information from corruption, compromise or loss.

Many of us will have watched with some concern the ongoing reports of hacking, ransomware (where a hacker locks or encrypts your company data and demands a ransom before releasing it) and data theft by outside agencies.

IT Security Threats Pose New Risks for Owners and Directors

As owners and Directors of businesses in this country, we cannot ignore the real risks presented to our companies by theft or destruction of company data. Stricter laws governing Director’s responsibility make risk management and mitigation very personal.

Henri Elliot, Founder and CEO of Board Dynamics commented to me recently, “It is essential Directors take a strong position on all forms of risk. Risk should be on the Board’s agenda each month and should be appropriately categorised. For example – is a staff member taking a list of clients a company policy issue? An HR issue? An IT security issue? In truth, it is all of the above and Directors need to take a holistic approach.”

Security Risks Are Mainly Internal

The scary thing when we consider the risks around IT is that it is not the sneaky Russians or the depraved teenage geeks who represent the real threat to most businesses. In fact, it’s often quiet Jane from Finance or good old reliable Mac from Sales who represent the real and present danger.

If you think I am being a bit dramatic (and my wife would agree with you) think again. Here are a few things that should give you food for thought.

Nearly two-thirds of employees surveyed, who leave an organisation voluntarily or involuntarily, say they take sensitive data with them.

That is a real wake-up call when you consider that your staff will almost inevitably have access to sales and customer records, design secrets and new product plans.

Nine out of ten Information Technology (IT) staff surveyed indicated that if they lost their jobs whether through redundancy or by firing would take sensitive company data with them.

Techies are extra smart, often socially inept and prone to impulsive behaviour when stressed. Just because Jason the geek is a bit dishevelled in the morning doesn’t mean he is not capable of revenge served cold.

So how does Jane, Mac or Jason walk out the door with your most valuable secrets? In truth, they probably don’t. Your worst enemy is email. Over a quarter of data, thefts have been as simple as attaching a file to an email and sending it home or to a friend.

Next on the IT security threat list for most small to medium businesses is that convenient friend, the USB stick. In many cases, these data downloads start quite innocently with your trusted person downloading files, so they can work from home.  It’s only when they are preparing to leave that the true value of the customer list they downloaded becomes clear.

I can dwell on ways you can lose your company data, but in truth, this only serves to make you overly fearful. Instead, let’s look at a couple of the signals that your data may be at risk.

Signals Your Data Might Be at Risk 

Negative Work Events

Laying off or firing staff, whatever the reason should be a signal that your data is at risk. A huge proportion of internal IT security failures come from a desire for revenge. If you are planning to terminate a staff member it is important that you monitor that person’s behaviour. A surge in large data files being downloaded or emails to an unusual address should be a huge red flag.


In many cases, data security failures are just a case of staff members, managers, or owners who just don’t get it. Data is valuable only if you see it that way.

The signals of complacency are often clear. You should be troubled by people violating simple IT security policies like keeping passwords protected. It is the company who will pay and the staff who end up with their jobs at risk if you ignore the knowingly irresponsible behaviour.

Next month I will run through the key things you can do to reduce the risk of insider security threats without treating your much-loved people as if they are criminals.