Be Prepared to Combat Insider IT Security Risks in 2018
Did you know that in 2016, IBM found that 60% of all cyber attacks were carried out by insiders? Of these three quarters were due to malicious intent, and one fourth due to negligence or error.
- Accidents: According to Verizon’s 2016 Data Breach Incident Report, accidents accounted for 30% of security incidents. In many cases, employees haven’t been educated properly on cybersecurity best practices. They open phishing emails and click on malicious links that expose sensitive data.
- Negligence: This is when employees try to circumvent the policies you’ve put in place to protect endpoints and valuable data. For example, they might try to share work on public cloud applications so they can work from home. There’s no malicious intent, but by doing this they expose your data to dangerous actors.
- Malicious: Unfortunately, there are times when employees are motivated by financial gain and reveal your confidential data. For example, a disgruntled employee who was recently terminated might extract sensitive data on his/her way out and either sell it or release it publicly.
- What You Should Do
As you look to how you should secure your IT environment as a whole, there are two main questions you should ask:
- What departments or people within your business pose the biggest threat?
- What processes can you put in place to minimize this risk?
Ultimately, it’s not the people in your organization who are the least reliable that you should be concerned about. Instead, you should focus on the work employees do, the technology they use, and the data they’re responsible for—data that would be appealing targets for hackers and cybercriminals.
The following are the three departments that experts suggest you focus on:
The IT Department
IT staff often possess greater access rights than do other departments. They have access to business-critical data through the IT systems they manage and control. This makes them a prime target for cybercriminals. According to the 2017 Balabit Report, 35% of IT professionals consider themselves as the biggest security risk to their organization.
Finance
Your financial department poses a risk because of the large sums of money they handle. They are often targets of phishing attacks where criminals try to get them to transfer large sums of money, and bypass normal accounts-payable procedures and controls. Unfortunately, not all employees who have access to funds are up-to-speed on these fake payment requests. It’s important that they are taught to maintain rigid purchasing processes. A simple call or email can expose your company to theft.
The C-Suite
Your CEO, CTO, and other top executives are always on the go and require access to 100% your company’s information and data. A mobile workforce is the trend of the future, and company leaders have been working from remote locations and off-site meetings for years now. However, 93% of tech leaders surveyed said they were concerned about the security challenges presented by a growing mobile workforce.
Threats to Small Businesses
As a small business owner, your focus may not be identical to the departments described above. Simply think of the places where data and money are transacted, and what networks those workers are most often connected to.
To mitigate these risks, be sure to implement the following strategies in your workplace.
- Treat security as a culture, not a policy. Cybersecurity must be a company-wide initiative and “all-hands-on-deck” strategy. It shouldn’t be the sole responsibility of just a few individuals or a particular team—Although it might be okay for one department or person to lead it.
- Educate, train, repeat. Bring all employees into the conversation, make sure they stay up to speed, and consistently revisit this. The tricky part about IT security is that it’s ever-evolving. Hackers are constantly developing new ways to gain access to information that doesn’t belong to them. Staying up to date on these changes, tweaking company policy to cover all the bases, and distributing updates through security awareness training programs must be a top priority for organizations today.
The Better Business Bureau has a great list of starting points if you’re looking for a checklist. If there’s no one individual who can lead the implementation of these strategies, consider contacting your IT provider to for assistance and training.