The topic of cybercriminals can invoke the image of a scruffy-looking hacker glaring at a computer screen from a mysterious location. But the most serious threats to your business’s information security could be much closer than you think.
A growing number of small and midsize businesses consider internal security breaches—accidental and malicious—from employees a bigger risk than cyberattacks that emanate from the outside, according to the results of our recent survey. The survey of 251 IT decision makers at companies with 250 or fewer employees revealed that:
—38 percent of those businesses have experienced internal IT security incidents in the past year.
—32 percent of those businesses have experienced external IT security incidents in the past year.
—55 percent of the small businesses surveyed are more concerned with internal threats than external threats.
—71 percent of the midsize businesses surveyed are more concerned with internal threats than external threats.
Insider IT security threats come in two flavors: malicious employees who steal data or sabotage IT systems on purpose, and well-meaning insiders who accidentally delete important files, open the wrong e-mail attachments, or fail to install security patches and leave networks open to attack.
The good news is there are practical steps you can take to significantly reduce the risks associated with malicious and unintentional insider security threats. Here are 10 ways to start protecting your business now:
1. Back up your data
No matter how much a business guards against insider threats, bad things can still happen. That’s why a backup and disaster recovery strategy is essential. Invest in a backup service that offers automatic, versioned backup (Carbonite is one such service). Back up your data regularly to on-premises servers as well as to the cloud. And be sure to test the backup system’s restoration capabilities on a regular basis so you know critical data will be accessible when you need it most.
2. Train employees on digital hygiene best practices
Every business gets bombarded with so-called “phishing” e-mails that contain virus-laden attachments and links to malicious websites. These e-mails are sent from outside cybercriminals, but it takes a positive action from a company insider—like clicking a link or opening an attachment—to unleash a world of trouble. Make sure employees are aware of the latest methods being used by cybercriminals. Advise them not to interact with suspicious e-mails and to never open an e-mail attachment unless they’re absolutely certain of where it’s coming from.
3. Test employee awareness with real-life scenarios
One of the best ways to avoid falling victim to cyberattacks is to test them regularly in real-life scenarios. Many IT security vendors offer solutions that allow you to simulate the latest phishing tactics and test your employees’ responses. You will gain insight into common mistakes, and your employees will become accustomed to the latest threats.
4. Limit employee privileges
Another effective way to guard against malicious insiders is to enforce least privilege. That means employees should only have access to the data and applications they need to do their jobs—and nothing more. Just remember that least privilege needs to be managed on an ongoing basis. Access and privileges should be updated whenever an employee gets promoted, transferred, or leaves the company altogether.
5. Create a backup policy at the system administrator level
Install backup software on computers and laptops before they are distributed to employees, and manage them centrally. The backup software should be configured so that only an employee with administrator privileges can make changes to the backup policy associated with the computer. This way, if a disgruntled employee decides to wipe the laptop clean, you’ll still have a backup of all the work that has been completed on that device.
6. Review password management policies
Password crackers, social engineering, and keystroke loggers are just a few of the ways malicious insiders obtain passwords and compromise user accounts. That’s why strong password and account management policies are essential. Passwords should be changed regularly, and they should include upper and lowercase letters in combination with numbers and special characters. But remember, passwords that are difficult for employees to remember often end up written down within arms’ reach of the keyboard. Encourage good memory techniques over sticky notes.
7. Implement strong management policies for privileged users
Highly privileged users, such as systems administrators and other technical personnel, have more opportunities to commit sabotage than most employees. Consider having privileged users sign an agreement that outlines exactly what they’re allowed and not allowed to do when accessing user accounts. It’s also a good idea to use monitoring and audit technologies. Just make sure they comply with privacy laws in your region.
8. Implement strong remote access controls
Malicious insiders often choose to attack organizations remotely. It’s a handy way to commit a crime without being seen by fellow employees. While providing remote network access to employees can increase productivity and efficiency, it’s important to be extremely careful with regard to remote access policies. Providing remote access to e-mail and non-critical data is fine, but consider limiting remote access to your company’s most critical business information and applications. Access should be restricted to the systems and data required to perform essential job responsibilities.
9. Implement a well-defined employee termination policy
There are several steps you can take to reduce the risks posed by employees that have recently quit or been terminated. In addition to revoking physical access to company facilities, close all of their user accounts, including e-mail, network logins, VPN access, cloud services, and on-premises applications. Also remove the employee from e-mail distribution lists and alerts.
10. Be extra cautious about social media
People post all kinds of things on social media sites like Facebook and Twitter. Social media profiles may include birth dates, likes and dislikes, employment information, and more. Malicious insiders can use information found there to target fellow employees that have unwittingly given clues to sensitive information. Companies should enact clear policies and train employees and business partners on what is an inappropriate use of social media.