The biggest threat to your data may not come from external hackers. Find out how to guard against intentional or accidental internal cyber breaches.
The NSA leaks we keep hearing about are a constant reminder of just how vulnerable data is and how this vulnerability can result in data breaches by organization insiders. As Reuters reported, “Edward Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator.” It’s apparent now that the nation’s most significant intelligence and security team failed to install the most up-to-date, anti-leak software.
This news coincides with two recent reports that show insiders are becoming the most significant reason data breaches proliferate. While threats to data security and privacy are often perceived to come from the outside via criminal hackers, recent research has marked internal threats as equally dangerous to customer/client data—whether breached on purpose or by accident.
According to a recent Forrester Research report titled “Understand the State of Data Security and Privacy,” 25 percent of survey respondents said that abuse by a malicious insider was the most common way in which a breach occurred in the past year at their company, while 36 percent of breaches were caused by employee mistakes, making it the current top cause of most data breaches.
Another report, from MeriTalk, which focuses on the federal government, found that 49 percent of breaches happen when employees bypass existing security measures, such as when they’re Web surfing or downloading email or other files. If the federal government can’t protect itself against data leaks, how can small-business owners expect to adequately protect their business data? Let’s take a look at how these data leaks are happening to find out how you can protect against them.
Cracking The Code
We’re at a point where companies interested in protecting their data have invested significant resources into fighting off network attacks from outsiders by incorporating numerous layers of security, such as firewalls, antivirus software, antispyware, antiphishing software and security awareness training, but they’re leaving their data vulnerable to their employees. Companies may have malicious, Edward Snowden-like insiders who hack the network for information, including fellow employees’ passwords.
Or, on the less malicious end of the spectrum, employees may just make simple mistakes that leave the network vulnerable to data breaches. Because of this “hidden” vulnerability, company networks are often compared to candy bars that are hard on the outside and soft and chewy on the inside. Additional risks revolve around savvy employees who might have good intentions but may make the network vulnerable when they go outside existing security measures. They may find themselves forced to do this because of restrictions that prevent them from getting their jobs done.
The Meritalk study found:
- 66 percent of federal network users believe security is time-consuming and restrictive.
- 69 percent say their work takes longer because of additional cyber security measures.
- One in five users report an inability to complete work because of security measures.
- 31 percent of users work around security measures at least once a week.
- 36 percent of breaches stem from inadvertent misuse of data by employees.
- 42 percent received training on how to remain secure at work, which means 58 percent haven’t had training at all.
- 57 percent say they’re not even aware of their organization’s current security policies.
- 25 percent say a breach occurred because of abuse by a malicious insider.
Guarding What’s Yours
The most important thing companies can do is to put the right security measures in place. Employees who need identification include those who are known to access critical data resources, such as those in accounting, human resources, administration, legal, personnel and account management as well as company officers and various contractors. Looking at data flow—that is, where data might be either vulnerable, shared across departments or bottle-necked—companies should work with each critical department to gradually implement security controls that create a delicate balance of security and productivity for day-to-day activities.
Data loss prevention begins with data discovery, classifying data in need of protection, and then determining what level of risk your company may face. Then you should complete a cost/benefit analysis and review the various technologies that can integrate with your existing systems. These include data loss prevention (DLP) technologies that provide real-time network activity monitoring, as well as system status monitoring from the inside out and the outside in.
The goal is to limit who has access to what data as well as determine why the person needs it. It’s also important to look for your vulnerabilities from outside attacks. DLP can simultaneously determine when employees are circumventing security because the system may be prohibiting them from getting their job done.
Other procedures and tools you might want to consider implementing include:
- System-wide encryption
- Tools that report alerts and events
- Inspection access controls
- Password management
- Multifactor authentication
- Device recognition
- Data disposal for e-data, paper data and discarded devices
This last one is critical because the more transparent your network security and security policies are, the more effective each department will be when communicating its requirements, needs, wants and differences.
The battle to fight criminal hackers from the outside must not hinder your employees’ progress on the inside. At the same time, you must protect against internal threats from employees, which is an equally dangerous risk that your IT department must acknowledge—and work to secure quickly.
Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.
ROBERT SICILIANO, CEO of IDTheftSecurity.com is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds. His "tell it like it is" style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders to get the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace. Siciliano is accessible, real, professional, and ready to weigh in and comment at a moment's notice on breaking news.
- How to protect your network from malicious insiders
You may be putting your company at risk simply by hiring a new employee. Why? Because that person could have a hidden, malicious agenda. This is known as an inside threat, and it means that someone within your organization is planning or conducting activities meant to harm the company. There is a pattern that most insider threats
- Corporate BYOD puts Client Data at risk
When employees improperly use mobiles, they put their companies at risk for data breaches. This includes leaving lots of sensitive data on the devices—which can pave the way to leakage of data, plus other issues. Mobile device use in workplaces is increasing—and so is its associated security risks. Current security measures are lagging behind the increased
- Weak Passwords Mean Data Breaches
Studies across the board indicate that weak usernames and passwords are one of the top causes of data breaches, and I find that information to be unfortunate, because it is preventable. According to a recently concluded survey conducted by uSamp and sponsored by Siber Systems, creators of the RoboForm Password Manager: 70% reported forgetting a password,
- 11 Ways to Mitigate Insider Security Threats
Companies are constantly attacked by hackers, but what if those attacks come from the inside? More companies than ever before are dealing with insider security threats.Here are 11 steps that all organizations should take to mitigate these threats and protect important company data: Always encrypt your data If you want to minimize the impact of
- Putting An End to Data Breaches As We Know Them
The AP reports “WikiLeaks’ release of secret government communications should serve as a warning to the nation’s biggest companies: You’re next.” According to the Privacy Rights Clearinghouse’s Chronology of Data Breaches, more than 500 million sensitive records have been breached in the past five years. The Chronology of Data breaches lists specific examples of incidents in which