Data lurking: How to protect your company against overlooked insider threats
Enterprises often fear hackers as their number one security threat. However, they should be more scared of what happens internally. More often than not, data breaches come from employees or system errors, not outsiders.
According to Ponemon’s 2013 Data Breach Report, human or system error is still the cause of 64 percent of data breaches. So the question remains – how can a company protect itself from an insider threat? Here are the worst internal offenders and solutions to make sure an employee doesn’t become an enemy.
1. The key holder
While executives need access to personal or private information, how much access and control should be granted to assistants and support personnel? Regardless of whether this “key holder” employee knows what information they have access to, it can be very dangerous.
For example, HealthITSecurity and PHIPrivacy reported that an employee at the Jonathan M. Wainwright Memorial VA Medical Center (VAWW) mistakenly sent 1,519 patients’ data to an external education partner. Patients’ personal information, including Social Security numbers, was included in the email attachment. Healthcare is only one of the many industries that continues to have a huge problem with human errors causing breaches.
Solution: Companies must combine automated technology with employee education to enforce governance policies. By utilizing technology that does not interfere with daily activity, companies will give themselves the means to monitor content for potential compliance issues and take action to prevent unauthorized distribution and sharing – keeping information safe, appropriate and within regulatory guidelines. Of course, employees must fully understand why these guidelines exist and what it means to the whole organization should they be violated.
2. The overly trusting boss
Often, employers find the easiest way to access information is to open it to everyone and simply “trust” employees. While it’s great to have trust in employees, it’s naïve to think breaches won’t happen.
Mistakes can, and will be made by careless employees. And what about malicious intent? Malicious intent breaches are the most costly, according to Ponemon, and on the rise. Still not worried? Consider this, half of employees admit to taking corporate data with them when they left their jobs or were fired, and 40 percent plan to use that data in their new positions at other organizations. Unlimited access to information can create considerable headaches that a business, and trusting boss, just might not recover from.
Solution: C-level executives need to put measures in place to protect against human nature. Mistakes will happen and less than trustworthy employees are always lurking. By installing security and compliance software that comes with alerts, red flags or document-level encryption security measures, C-levels can either select who gets access to certain information or secure it so that it can’t be shared. By taking time to consider what should and shouldn’t be shared, in addition to teaching employees the right way to use these tools, employers will have better control over their confidential information.
3. The social media sharer
Social media has infiltrated the workplace. Enterprise social technology from Yammer to SharePoint and everything in-between, makes information sharing as easy as pressing a key. Not everything is for public internal consumption, not even within the walls of the organization. Mergers, acquisitions, secret projects, and in financial services, the communications between traders, are for authorized eyes only.
Solution: It is imperative that companies show employees what is and isn’t acceptable in the enterprise’s social universe. C-levels must take the time to consider what should and shouldn’t be shared through internal social channels, forums and platforms, as well as the right way to use the technology. Training is a key part of the solution. Technology also plays a role, especially in highly regulated industries, by monitoring internal social content to prevent violations.
4. The “favor” person
A friend of an employee needs some personal information regarding their company, and the employee slips them information on the side. Or perhaps an employee is sharing stories with their friends over beers and accidentally shares classified company information. Maybe one of their friends, who works for a competitor, tells their boss the information and the competitor gets the jump on a great opportunity.
Solution: A day of classes for personnel could save a company millions in potential data breaches. By creating clear, documented policies while also creating rules about approved content, you are giving employees a clear guideline of your content strategy. In addition, controls need to be put in place to restrict what information can be sent out of the organization via email or by saving confidential information to the desktop, where it can then easily be emailed or saved to a thumb drive. These controls eliminate the possibility of ambiguity in an employee’s understanding of the rules, as well as prevent someone from giving “favors” and leaking your company’s personal information deliberately.
5. The lawless roamer
Smartphones, tablets and laptops have changed the workplace forever. Information can flow freely from internal servers to applications like Dropbox. This gives people more of a chance to expose the confidential information in a plethora of different media. How can enterprises make sure that their private information remains as such?
Solution: By using a management platform such as SharePoint, there are ways to centralize security, and even manage permission changes in SharePoint and on an iPad. While there is no single solution that protects against data loss, a company must secure its mobile information to the best of their ability.