It Only Takes One
In today’s world of cyber security, it is not enough for organizations to simply focus on technical defenses to prevent a data breach. While many security vulnerabilities for servers, desktops, routers, etc. can be addressed through a patch update, there are no patches for employee negligence. Infosecurity Magazine states “Among companies experiencing data breaches, internal actors were responsible for 43% of data loss, half of which was intentional, and half accidental.” Furthermore, an Associated Press analysis of data breaches and cyber security related incidents in the US Government found that since 2010, federal employees and contractors were responsible for more than half of all cyber-related security incidents. As a result, employees present a significant threat to organizations because their knowledge and roles allows access to sensitive data while circumventing security measures.
What can companies do to mitigate these risks?
While most companies focus on protecting their network from outside attacks, insider threat mitigation requires a different defensive strategy. Employees must be aware of the trending threats and methods hackers are practicing so that they can protect your organization. Here are some key areas to focus on when educating your team:
Email Security Threats
- Phishing – Phishing attacks are compromising organizations every day. Make sure your employees know what to look out for when navigating through their inbox. Always ask management before clicking on untrusted links.
- Social Engineering- In today’s hyperconnected world, it is easy for hackers to learn more about an employee’s family members, interests, and locations. It is important to make employees aware of the consequences of putting personal information on the internet. Encourage them not to give out sensitive information to untrusted sources, as this could affect the company.
Test Security Awareness of Employees
- Mock-Phishing Exercises – To help employees learn how to detect a phishing email, COMPASS recommends utilizing simulated phishing attacks.
- Tabletop Exercises – On-site training of company policies/procedures will help employees learn the role they play in securing your organization’s data.
Mobile Device Security Tips
- Smartphones – Connect to outlets, not computers.
- Laptops – Connect to a guest network. Never connect to the production network.
- USB drives – Never connect to a machine on the production network. Do not put unfamiliar USBs in your computer.
- BYOD Policy – Implement a BYOD policy which clearly states the personal devices that are allowed on the network.
Securing Sensitive Information
- Password protect proprietary documents.
- Store sensitive documents in a secure location.
- Encrypt machines with confidential information.
- Use two-factor authentication when possible.
While implementing these best practices will not guarantee data breach prevention, it will educate your employees on the importance of information security. It only takes one patch, one virus, but most importantly, it only takes one employee to turn an internal threat into a companywide data breach.
If you would like to learn more about insider threats or to schedule employee training, please contact COMPASS Cyber Security.