(As seen in Phoenix Business Journal)
When asked to imagine the source of a company’s biggest security threat, many of us picture a hacker: that malicious, anonymous figure behind a computer, scheming up nefarious ways to breach our network and steal our data. It might be surprising to know that, according to a recent survey of IT professionals, employees actually pose a much larger threat to a company’s security.
In fact, 90 percent of those surveyed felt the company they worked for was vulnerable to an insider threat, and over 50 percent reported that their organization had been the victim of an insider attack within the previous 12 months.
The threat that an employee poses to a company can be malicious, like a disgruntled worker deliberately stealing data or intellectual property with an intent to do harm, but more often it’s inadvertent, like when a staffer falls prey to an email phishing scam or downloads a virus onto a company device. Either way, it’s the business that pays the price.
Safeguarding your company against threats from the inside requires careful planning, ongoing education and vigilance. Here are some best practices to consider:
Start with a solid security policy
First, be sure your company’s security policy covers the how to handle confidential company information in and out of the workplace. For instance:
- How should your team be treating data in their emails?
- What are your internet protocols?
- What measures need to be taken to secure removable media or employee-owned devices?
- If a device is lost or stolen, do your employees know what to do?
- How do remote workers access the company network and data?
A comprehensive policy will ensure everyone on the team knows what’s expected and what they’re accountable for.
Bring up security during onboarding
Add a cybersecurity portion to your employee onboarding program. Before a new hire gains access to their IT devices, discuss with them the company policy on:
- Proper password management.
- Understanding and avoiding phishing attacks.
- The use of encryption.
- Backing up work.
- Sending, receiving and storing sensitive information.
- Account limits, access and authentication.
- Remote network access and mobile device protocols.
Train your team … again and again
Many businesses that address security protocols during the onboarding process for new employees rarely bring up security again, unless there’s a data breach event that throws everyone into crisis mode. But in the rush of daily emails, phone calls, and meetings, it’s easy for employees to become lax on simple security measures like locking computers before leaving the office, practicing proper password protocol, or shredding or securing sensitive paperwork.
To keep security top of mind, it’s a good idea to have company-wide training at least twice a year, in addition to highlighting the importance of data security via emails, posters, monthly newsletters and similar communication methods.
Some companies run periodic “fire drills” that test their employees’ ability to spot and avoid phishing threats. Others employ a rewards system for team members who show continued commitment to security.
Tighten up your tech
Protect your business and your employees with up-to-date network security, starting with a firewall that prevents unauthorized connections and malicious software from entering the network. Use encryption software to store and transmit your data securely. Require any remote employees to use a company VPN (virtual private network) to safely access the internet when they’re outside the office. Employ “two-step authentication” whenever possible to guard against poor password practices. Make sure all devices have the most recent antivirus solutions installed, and update these regularly.
User activity monitoring tools
User activity monitoring (UAM) software monitors and tracks the behavior of employees on company devices, networks, and other equipment. UAM tools are used by businesses to help detect and thwart threats from inside the company, both intentional and unintentional.
The methods of monitoring might include:
- Video recording.
- Screenshot captures.
- Keystroke logs.
- Log collection and analysis.
- Network packet inspection.
Using UAM tools, business owners and managers can quickly identify suspicious behavior, ideally before a data breach occurs. UAM enables a proactive review of user activity, including violations of access privileges or company policies, whether accidental or deliberate, and provides concrete evidence of wrongdoing, which can be used in court.