You don't have to be a cyber-security expert to know that insiders pose the greatest threat to an organisations' IT safety. Anyone reading the news or digging deeper into data breach reports is aware. This year alone, we've seen breaches at FDIC, Sage, and SCAN – all of which have been linked to insider threats. Unfortunately for organisations, these types of risk are becoming more frequent and increasingly more difficult to detect and prevent.
So how can we prevent insider data breaches from happening? Based on what was disclosed about the Sage breach, an employee used an internal login to access customer bank account and salary information without authorisation. Organisations should follow these tips below to keep customer information secure and avoid being the next big story on the five o'clock news.
Learn from others' mistakes and secure the fortress accordingly
When a data breach is announced in the news, assess your IT environment to see if your organisation has controls in place that would have mitigated a similar issue in your own organisation. Understanding your internal privacy and security program is essential to protecting the information that lives inside it. But remember that there is no such thing as perfect security. This is why it is incredibly important to truly understand the data you hold and to protect it according to its value and your risk. Once IT leaders have a better sense of their IT environments and current controls in place, organisations can make decisions on where their data should live, who can access it, and how it needs to be protected. IT can then layer in user-based controls, which should help mitigate malicious insider behaviours.
Know your employees and limit access
Many organisations make the mistake of focusing their data protection strategies on keeping the outsider out. But in fact, many breaches come from an attacker who is already inside – whether intentional or unintentional. Fortunately, insider threats are also the easiest to prevent.
As a general rule, employees should be given the least amount of access possible that allows them to still do their jobs. Unfortunately, overburdened IT administrators tend to work backward, giving users too much access so that IT does not sink under the burden of immense workloads. At the end of the day, it's important to trust your end users to appropriately identify and classify sensitive data that they are handling or creating, but also verify that they are doing so correctly. Using a combined or layered approach to data classification can ensure that the employees understand and adopt the policies, training, and tools you provide.
In the absence of cyber-security training, we find that most end users naturally make poor security decisions. This means that systems need to be easy to use securely and difficult to use insecurely. This is probably the single largest opportunity for organisations looking to revamp their data protection programs. Organisations need to make it easier for end users to do the right thing, and harder for them to do what's wrong.
- Your biggest security threat could be your employees, whether they mean to be or not, so make sure to limit access to sensitive data.
- Be conscious of the strain on your IT professionals and when to consider hiring. It is much cheaper to recruit, hire, and train a new employee than it is to recover from the internal and external implications of a data breach.
- Build a culture of vigilance in your company so employees actively strive to keep data safe.
- Continue protecting against outside hackers with scanning programs and stay on top of updates as they're released.
- Implement mandatory security training for all of your employees so your entire organisation is on the same page when it comes to keeping customer and company data safe.
Once organisations start implementing preventative security measures from the inside out, customer data will become safer and leaks will be less likely. But the path to security is not always easy. By following the roadmap outlined above, organisations will feel more confident in their ability to keep both outsider and insider threats at bay and protect proprietary customer information.
Contributed by Dana Simberkoff, chief compliance and risk officer,