Eliminating​ Insider Risk to Your Data

October 18, 2019

Data breaches are continually rising in frequency and intensity. Small businesses have been increasing their investments in cyber security steadily over the last five years. From antivirus to threat detection software, you can invest any sum of money into your cyber security measures and be the better for it, but that’s not where the biggest threats to your business are coming from.

Cyber security platforms can’t do all of the work for you. Although there has been a drop in insider threats over the last few years, employee error and mishandling of data continues to be the leading cause in data breaches and leaks, according to the Global Encryption Trends Study of 2019. When it comes to insider risk, frequently, the employee does not mean to mishandle the data or allow for a breach. We don’t see a jilted ex-employee selling your organization’s data or changing your source code that often (although it does happen). What we are witnessing is relaxed policies that allow for bad things to happen. We see a lack in education and employees who are ignorant about their dangerous actions. You can call this person the careless insider. This person unwittingly allows for data to leak by clicking on a phishing email, or this employee accidentally downloading malware for a bad site. They may even plug a USB into their work computer that they found on the ground somewhere.

Here are four ways you can eliminate insider risk to your data:

  1. Know Where Your Data Is
    Although this may seem pretty obvious, knowing all of the locations where your data, and especially sensitive data, is stored is of the utmost importance for strong cyber security practices Your organization may have migrated your data at some point, you may have allowed employees to store data in unencrypted files or even on their personal devices, but was this data ever cleaned up? Knowing where your data is can be a little more complicated than it sounds. Over the last few years, there have been countless data breaches because employees or ex-employees could access and share data that their organizations should not have let them access. Part of knowing where your data is located is knowing how your data flows through your organization. Data transfers can be a weak spot in cyber security measures.
  2. Create Data Access Policies
    Going right along with the above tip, you need to be able to control who within your organization can access what data. If all of your organization’s data is open for any employee to access, you could be liable for the mishandling of this data. Allowing an entry-level employee or even an intern to access your most sensitive data when they don’t need access to fulfill their responsibilities only puts that data at higher risk. Access controls can take the form of network access when we are talking about cyber security. Limiting access based on roles is an excellent place to start, but it is also worth considering what devices can access your data. There are platforms that help you create and maintain these controls.
    In addition to who can access data, you should also have policies on how employees can interact with data. Are employees able to download any data on your network? Can anyone modify data? Will you allow access on a mobile device for all data or just some data? Maybe none of your data can be accessed on a mobile device. The intricacies of these decisions can impact your threat landscape immeasurable.
  3. Educate Employees
    Employees don’t know what they don’t know, and often they don’t know a ton about what cyber security threats exist and what a phishing email looks like. If your employees know more about cyber threats and how to protect your organization’s data with the actions they take, your entire organization will be safer. Many employees would be just as shocked as you are to know they pose the greatest threat to your company.
    Cyber security training for your employees can ensure that human error is vastly eliminated as a threat to your organization when considering cyber security. Knowbe4 is a platform that trains employees and enrolls them in a program to receive test phishing emails. If anyone takes an action that could put the company in jeopardy, this is tracked, and if need be, this employee is enrolled in more cyber security training.
  4. Create a Strong Password Policy
    Passwords still matter to your cyber security. If you’re allowing your employees to choose passwords without any standards at all, there could be a weak link in your chain. It may sound like the most trivial security item, but passwords are a fundamental part of strong cyber security. A password that includes capitals, numbers, special characters, and preferably a phrase is much stronger than password1234. Set up a policy within your organization and make sure your employees know how important strong passwords are. If you’re allowing employees to use the same passwords across multiple platforms, you may want to rethink that, as well. If one password is leaked, you could be giving hackers the keys to your data.

Be aware that your employees, no matter how well-meaning, can pose one of the biggest threats to your organization. Implementing the right policies in coordination with interactive training for your employees will boost your cyber security incredibly. Ensure your cyber policies are well communicated and understood throughout your organization to promote adoption. Data-centric security policies need to take into account the ways data is interacted with and how it can be mishandled and leaked, but if no one in your organization follows these policies, you are back to square one.