Business owners and decision makers are constantly being warned about cyber attacks “from outside.” However, your next attack or first attack could be brewing right under your nose—the cyber criminal may be one of your very own. Or, he may be a vendor you often work with.
Internal cyber threats are very real and growing in momentum. Now you may think you have the most honest employees in the world, but criminal behavior isn’t the only behavior that causes data breaches. Another behavior poses a serious threat: carelessness. She could be a great employee who also makes a mistake. Regardless of the motivation, are you prepared?
A recently conducted Forrester Research survey called “Understand the State of Data Security and Privacy” revealed some interesting insight to internal security measures:
- 25% of survey participants believed that an in-house crook was the most common path to a data breach within the past year (of the survey date)
- Participants also pointed out that employee carelessness caused 36 percent of breaches
- 42% of participants received security training
- 57% didn’t know their company’s security protocols
- 25% said a breach resulted from inside criminal activity
A business owner should not get smug and think he’s protected. Even careless employees at the federal level have caused leakages of sensitive data, says a report from MeriTalk. Also according to MeriTalk:
- 66% of survey participants believed that security was time consuming, too restrictive
- 60% blamed cyber security measures on their work taking longer
- 31% said they ignore security measures at least once a week
- 20% said that security measures interfere with completion of work
There are many ways to skin a cat. However when it comes to security there are many processes and systems that need to work together synergistically in order to prevent a breach.
Here are 15 ways to keep your company safe from internal threats:
- Vulnerabilities should be identified by all the key company departments working together. That includes but is not limited to Security, Operations, HR, IT, Administration, front line employees and any 3rd parties working onsite.
- Security tactics, processes and procedures should be created, that should not impede productivity.
- Particular attention should be given to employees who have access to sensitive data, such as those in the legal and accounting departments.
- The degree of protection for different types of data should be clarified to enable proper identification of risk. All data is important, but sensitive data leaked can be damaging.
- There should be an analysis of the various kinds of technologies that can be used for security, as well as a cost/benefit analysis. Don’t throw money at solutions without fully determining their value and shelf life.
- Ultimately, the company will want to determine who should have access to data and who should not.
- Another smart idea is to find out what a company’s weaknesses are—from the viewpoint of an outside attacker. Hire “penetration testers” also known as “ethical hackers”.
- Password managers should be used when employees are required to access multiple sites.
- Access controls must be inspected. This means any device meant to access facilities or systems needs to be secure or terminated in the event of an employee departure.
- Multifactor authentication should be in place for access to sensitive systems.
- Encryption should be used system-wide on and off premise.
- There should be an alert system for suspicious events. Today’s security technology has lots of literal bells and whistle that alert to issues. However, like a car alarm going off they can numb the user. Training on what these bells mean is essential.
- An efficient disposal system should be created for electronic and hardcopy data and also devices. Shred, burn, destroy.
- Device recognition is very important. Knowing what a trusted device is on the network is another layer of protection.
- Transparency is a must, to ensure efficient operations. Those responsible for putting security in place must exhaustively explain why and how various requirements or restrictions affect the company and its employees.
You don’t want to be one of those businesses that gets so wrapped up with thwarting attacks from the outside that you forget that one single error by a sloppy employee could cause disaster. And of course, there may be a malicious insider just waiting for the right chance.
Robert Siciliano, CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker, is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.