Most employees and business partners are honest, loyal, and committed to doing a great job. Yet insider threats remain among the most significant security threats businesses face today. Whether intentional (an employee steals and sells your customer data because they’re mad they didn’t get a raise) or unintentional (a hacker used social engineering to trick them into forking over a password), most data breaches today begin with insider threats — threats from your own employees, partners, or vendors.
Between hackers and cyber terrorists, angry ex-workers and clueless vendors, what does it take to keep your data safe in this age? Here are essential strategies for preventing data breaches.
1. Employee Education is Essential
Dealing with angry employees is only a small part of the problem when it comes to protecting your data against insider threats. Smart hiring practices, rigorous screening during the hiring process, and regular monitoring of your systems and users is essential. But most data breaches caused by employees are unintentional. Ignorance is as dangerous as malice. Invest in regular employee training, including education on:
- How to recognize and avoid viruses and malware
- How to recognize and avoid phishing scams
- Keeping software updated
- Using the security features of your software systems
- Collecting only information that’s essential
- Smart use of mobile devices
- Safe internet use (backed by strong policies, monitoring, and if necessary, having IT block problematic sites)
- Where, when, and how to back up systems
- Consider offering incentives for safe practices or penalties for failure to comply with the rules
Have IT use access levels to grant access to systems and data on an as-needed basis. This protects the employee, as well as your business, because they can’t lose what they don’t have access to.
2. Prepare an Exit Strategy for All Situations
Ideally, all workers put in a 2-week notice, giving your IT team ample time to scrape sensitive data off their mobile devices, shut down all their user access privileges, and erase all the data on their work PC. In real life, employees just don’t show up one day, or they have a fatal car accident and you have no idea where their phone and laptop wound up, or their stepson with a drug addiction makes off with their work notebook and all their access codes. IT needs a way to wipe data from all accounts and devices, even if the worker and/or their work devices aren’t physically available.
3. Remember: Good IT Security is Multi-Layered
Though insider threats remain a top concern, smart businesses are also prepared for the outsider attack, either via brute force, persistent attack (DDoS), social engineering, backdoor threats and zero-day attacks, or other threats. Today’s hackers aren’t necessarily super-geniuses. Hacking tools are available on the Dark Net that give even newbies and those with less-than-stellar hacking skills the ability to hack into fairly well-protected systems. Cyber security begins with a strong, current anti-malware software package, but that’s just one element of a multi-layered IT security system. Here’s what every business needs:
- Regularly updating software and firmware, including the antivirus system, operating systems, business and legacy software systems, and hardware like modems, routers, printers, etc.
- A monitoring solution that allows real-time monitoring of systems at the user level, application level, system level, network level, and database level.
- An incident response plan: set the baselines for normal activity and traffic, and define the parameters at which your IT team receives alerts. Then put a plan of action in place to respond to various potential threats.
- Practice. No data breach prevention and response plan is ever finished. It’s always improving due to testing, honing and refining, and updating to reflect changes in the systems, applications, and storage environments.
- Don’t forget those peripheral systems like cloud environments, mobile apps, proprietary systems like CMS or marketing automation tools, and other systems that sit on the sidelines of your primary IT solutions.
- Don’t store data in too many places. If it isn’t needed, get rid of it. Purge data regularly, and be strict about how IT disposes of old equipment. Have policies governing the process for retiring old computers, servers, external hard drives, or any other equipment that holds data.
- Make sure your cloud service and other vendors have backup and disaster recovery plans, too. Know what those plans are, how they work, how they’re tested, and if your plan includes disaster recovery.
4. Conduct Regular Risk Assessments
Having only your own IT team conduct risk assessments is like getting your teenager to guard your car keys. It’s human nature to overlook one’s own mistakes, to downplay weaknesses, or simply to excuse lapses in security as acceptable. A risk assessment by an outside agency assures the process is thorough and unbiased. Plus, your IT folks are probably specialists in other things, like network administration, systems design, and software development. Professional risk assessment teams have training and experience in cyber security.
5. Hold Your Partners & Vendors to Your Own High Standards
No business is an island unto themselves. It takes a network of vendors, suppliers, and partners to get things done today. It’s convenient and efficient to grant system access to third-party vendors and partners to keep orders updated, check order statuses, and for payment purposes. Do your vendors and partners have the same rigorous hiring and training practices that you employ? What’s the difference in their employees going rogue and stealing data, or falling for a phishing scam, and one of your own employees doing so? Assure that your vendors, partners, and contractors use the same careful procedures to assure security as your business does. Otherwise, don’t allow them access to your sensitive systems.
It’s a scary world out there, especially for unguarded data. According to recent research by IBM, every stolen record costs your business an average of $158; the average breach costing companies $4 million each. This is 29 percent higher than the cost of a data breach just four years ago. Is your business protected from data breaches?