[BreachExchange] How Secure is Your Company Data? Internal Security Breaches and How to Avoid Them

[Audrey McNeil]

http://www.dailynewsen.com/951-how-secure-is-your-company-data-internal-security-breaches-and-how-to-avoid-them.html

When you start to talk about protecting company data, most business owners
will jump right into the process of protecting against external threats
such as installing antivirus software, malware protection, and firewalls.
Though all of these steps are necessary to protect pertinent business data,
there is still one area of concern that is often overlooked. Your
employees, whether intentional or not, also pose external risks to your
company’s data. And, without the proper procedures in place, you could
stand to lose a lot of money along with the credibility of your company’s
brand. Making yourself aware of the potential risks and taking the
necessary steps to safeguard your business is strongly advised.
While you obviously hope that you’ve hired employees who will not
intentionally bring your company any harm, the truth of it all is that you
can never be 100% sure. Not only is there the potential risk of employees
posing intentional threats out of spite, there is also the possibility that
“human error” will be to blame. With news reports now stating the urgency
for business owners to beef up their security measures, knowing where
you’re vulnerable is the first step.

Intentional Internal Threats

- A disgruntled employee - an employee who is not satisfied with their
working environment or workplace responsibilities may damage company
information as a way to get back at the company or supervisors.
- Better pay - an employee looking to find employment that offers a better
salary may be willing to share company secrets--including customer
information and important files.
- Financial difficulties or gain - when an employee is having financial
difficulties, they might look to company information to rectify the matter.
For example, an employee might try to obtain customer credit card and
contact information to pay for a personal bill. Another scenario could be
an employee supplying a list of customer information to a paying source.
- Religious or Personal Causes - If an employee has certain cultural,
religious, or personal causes that contradict certain aspects of your
business (maybe a particular client you’ve taken on, or a new project your
company is working on), they may be willing to use company information to
further address that cause.

Unintentional Internal Threats

- Lost or stolen device - Many businesses operate on the move now and
having mobile devices that can travel with you is a must. Laptops, tablets,
and smartphones are very convenient to use. You can take them with you and
access information wherever you go. The only trouble is, these things have
a tendency to be stolen. A stolen company laptop could leave your company
vulnerable to all types of security threats.
- Improper password storage - When you have several accounts that you must
log into on a regular basis, remembering all of those passwords can be a
pain in the neck. Many employees have a habit of writing their passwords
down or making them exceptionally easy to remember. The trouble with this
is that it can be easy for someone else to see or to guess the password.
- Accessing from Unsecure Sites - The cool thing about cloud based programs
and files is that you can access them from anywhere. As long as you have
internet access, you can log onto databases and retrieve files in an
instant. While this is a modern convenience, if people are not careful, it
could pose a security risk to your company’s data. For example, an employee
who decides to log on to the company database from a Wi-Fi connection
(which is not always a secure connection) could pose a threat.
- Friends and Relatives - Many employees like the idea of being able to
take their work home with them over the weekend. However, this generally
means that they’re going to take their office laptop home. While this often
wouldn’t otherwise be a problem, imagine if someone else were to use the
company computer. A friend or relative could ask to check their email or
social media account and have full access to all the company information.

Do Something About It
Whether it was human error or payback of sorts, there is nothing worse than
having to deal with the aftermath of a data breach. Not only do you have to
explain to your customers that their personal information may have been
compromised, but you also have to deal with the financial burden of it all.
In this case it is most certainly better to be proactive than it is to be
reactive. Below are a few suggestions on how to minimize the potential for
internal data breaches.

- Employee Education - Unintentional data breaches caused by employees can
be greatly reduced by properly educating them. Businesses should provide
extensive training on the do’s and don’ts as they pertain to company data.
When employees are made aware of the various threats they pose, they might
be more diligent in ensuring that they avoid those circumstances. You can
provide education through training sessions (online or in person), updating
company policies, or by providing handouts. The more aware your staff is,
the better prepared they can be.
- Authorize Permissions- Not every employee needs access to all of a
company's information. By regulating the permissions to various databases,
you can minimize the potential of a data breach. Providing identifying
login information and passwords will allow you to minimize the possibility
of company data getting into the wrong hands.
- Password Management - Passwords that are written down or that are too
generic in nature could pose a serious risk for your company. To avoid
that, it is a good idea to consider using tools that will support better
password management. Password managers are great tools that can be used to
store all employee login information for varying sites and databases. The
information is secured and safe at all times, giving you and your staff
peace of mind.
- Encryption - another way to safeguard your company information is through
encryption. Company files and data get coded in a way so that only those
with access can review them. This way, should a company laptop get lost,
you don’t have the added fear of wondering if hackers can view confidential
information.

It’s true that modern technology has made it a lot harder for businesses to
protect important information. While the use of technology is convenient in
beneficial, if you’re not careful it can pose serious risks. When
evaluating potential risks to your company’s data, be sure to include
external and internal threats. By assessing your vulnerabilities and taking
the proper steps to protect company data, you can greatly decrease the
chance of a threat.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160304/07b3b269/attachment.html>