Outside of the Department of Defense and other organizations that house secret “stuff,” most of us in business don’t really consider our data all that dangerous.
In the past 15 years, more and more attention has been given to the protection of personal information. As a result, a long list of IT security risks and regulations have sprung up mandating minimum levels of security and breach reporting guidelines for businesses that house or process this type of data. Between the bad press and the government fines, the consequences for allowing this data to be breached can be bruising for big companies and devastating for smaller ones.
The “follow the money” approach to understanding cybercrime keeps us focused on identity theft and other types of financial fraud as the primary motivators for hoarding and selling social security and debit card numbers. To this end, much of our spending on security has been to address these types of threats.
As an unintended consequence of all of the attention being paid, legal action being reported and financial penalties being levied, have we created a new potential “bad actor” in terms of data breaches?
It used to be that insider threats were perceived to be limited to the antisocial system administrator that might bring down the network if you let him go. But now, just about every member of our workforce knows what a breach could cost an organization.
As a result, a disgruntled ex-employee can cause just as much damage as any skilled hacker or tech wizard. Your customers’ or employees’ private data in their hands can be a significant, and possibly even stealthy, weapon if posted anonymously to a file-sharing site.
So what can we do? While it’s true you cannot totally eliminate the risk from a trusted insider, you can certainly do some things to help reduce it.
Ten Tips to Consider for Reducing Risk from Employees
- Screen and hire well.
- Do right by your customers, vendors and employees. Have an ethical culture.
- Classify and know where your sensitive data lives.
- Establish access control that enforces the concept of minimum necessary access.
- Employ good monitoring and logging and establish segregation duties between those with access to data and those with access to monitoring systems.
- Deploy data leak prevention technology if it makes sense in your environment.
- Set expectations with all members of the workforce that their activities are subject to monitoring.
- Don’t leave data lying around in unrestricted file shares.
- Obtain employee feedback and monitor the satisfaction levels of the workforce. Address issues promptly.
- Implement an effective termination procedure and be proactive about removing privileges to information systems.