Ofcom – Highlighting the Insider Threat

Employee round-table discussion
Reading Time: 2 minutes

UK communications regulator Ofcom is facing one of the biggest data breaches in its history, when a former employee offered a collection of potentially sensitive information on TV companies to their new employers, a major broadcaster.

A spokesperson for Ofcom confirmed that they had become aware of “the misuse of third party data by a former (Ofcom) employee” on the 26th February. It is thought that the former employee had downloaded data – possibly going as far back as six years – before leaving the company. This information was then offered to the new employer, with the potential ability to gain a competitive edge over rival companies. Rather than taking advantage of the information on offer – the company instead alerted Ofcom.

Keeping an eye on activity within your organisation can be a challenging task, especially considering that this kind of information may be freely available to all employees. Add to this the unsurmountable volume of unstructured data that is being created each day [2.5 quintillion bytes according to the IBM Big Data Report], the data protection challenge for any organisation today feels like a mountain to climb.

The good news is that there are some quick and relatively easy ways to get started and make some inroads to this mountainous task. Something that both Gartner and Forrester recommend is that before you make any decisions on data security, you first need to determine:

  • What data you have
  • Where it is
  • What value does it have to the organisation
  • Then you classify or tag it with an appropriate label


Data classification is the first step to ensuring you can protect your information throughout its lifecycle. Once documents, files and messages are labelled (visually and with metadata) it then makes life easy for other complementary downstream security solutions, such as DLP, information rights management and access control.

Furthermore, the job doesn’t end with the label. Once you have labelled something you need to be able to monitor and report on any classification activity to verify user trust and demonstrate compliance with data protection regulations (such as the EU GDPR) or industry specific regulations (such as HIPAA, ISO27001 etc). More to the point, how will you be able to prove the value in data classification without a reporting toolset? Senior Security decision makers need to be able to show the senior management team or board that the tools they have invested in have delivered value, and the new Classifier Reporting tool is one way customers are achieving this level of visibility.

Not only does Classifier Reporting allowing you to demonstrate your compliance position, measure effectiveness and focus organisational improvement, this new tool allows you to monitor user behaviour as well as predict threats and identify risky users. You can find out more about Classifier Reporting by downloading the latest whitepaper.  After this recent incident, Ofcom might want to start follow the example of Ofgem.

You can also brush up on the impending new EU General Data Protection Regulation (GDPR) by listening to last week’s webinar in association with techUK and EY, and hear the practical insights given for organisations of all sizes to help them start to prepare for the EU GDPR, and why adopting a data-centric security approach will help improve data governance, reduce the risk of data loss and lower compliance costs.