What’s inside your own company may hurt you. Recent research reveals that internal security breaches, including accidental ones by careless employees, are dangerous and rampant.
Your business’s greatest cyber threat could be festering right inside your offices. A recent report by Forrester Research, called “Understand the State of Data Security and Privacy,” shows that one-fourth of survey respondents said that a malicious employee was the most common means to a data breach within the past year. However, respondents noted that 36 percent of data breaches resulted from employee errors.
A report from MeriTalk found that 49 percent of compromises occur when workers bypass security measures, e.g., downloading e-mail files. This report focused on the federal government. If the feds can’t protect themselves, how the heck can small businesses?
Businesses are spending more and more resources on protection, such as antivirus software, anti-phishing software and firewalls, plus teaching employees security awareness but the problems are crooked insiders and careless employees.
The MeriTalk report also reveals that 66 percent of respondents see security as time consuming and restrictive, while 60 percent believe their work takes longer due to additional cyber security tactics. Another 20 percent say they can’t complete their work due to security measures and 31 percent skirt around security measures at least once per week.
The Forrester study reveals that 36 percent of data breaches come from accidental misuse of data by workers. Only 42 percent of respondents received security training and 57 percent weren’t even aware of their company’s current security protocols. One in four reported a breach was caused by malicious inside activity.
What should be done? To start, focus on workers with access to sensitive data, such as employees in human resources, accounting, legal, administration and personnel but also company officers and contractors. Businesses need to work with all the key departments to identify vulnerabilities and devise security tactics that don’t obstruct productivity. Determine the level of risk for various kinds of data and set protections accordingly.
Following that, conduct a cost/benefit analysis. Review the different technologies that can be incorporated with the company’s existing systems. This includes data loss prevention technologies and internal system status monitoring. The goal is to limit who has access to what kind of data. Determine why an individual needs the data.
Companies also need to examine their weaknesses from an outside-attack perspective. System-wide encryption should be implemented, as well as tools that report alerts and events. Access controls should be inspected and put in place, along with password management and multi-factor authentication.
Device recognition is crucial. There must also be disposal for e-data, paper data and discarded devices.
Transparency is also important. The more transparent that a business’s network security and security policies are, the more effective and clear each department will be communicating their requirements, needs and differences.
Don’t be let efforts to combat outside cybercriminals blind you to internal threats. Attention on one should not diffuse attention on the other.