Data breaches have become a common topic in the news. While we tend to think of data breaches as being caused by hackers in far away lands, studies consistently show that isn’t true. Internal threats are equally dangerous to customer data, whether they are caused by malicious behavior or by human error.
When it comes to employees choosing to access data with the intent of malicious behavior, it’s usually for one of two reasons: they are looking for financial gain or they are seeking revenge. Because they are actively choosing to access data with the sole intent of causing damage, they will also be looking for the weakest points of entry. The more layers of security you have in place – such as firewalls, antivirus software, antispyware, antiphishing software – the more you can protect what they can gain access to.
The more common internal threat comes from human error ignorant carelessness. These behaviors often expose the company’s “hidden” vulnerabilities. Often they are caused by savvy employees looking to do their jobs more efficiently, and in the process make the company’s data more vulnerable. These well intentioned employees:
- Bypass security because it’s time-consuming and restrictive
- Sidestep security because of the inability to perform work
- Create workarounds to improve their individual efficiencies
· Are often not aware of the company’s security policies, and in many cases haven’t received the proper training to understand the vulnerabilities
Many companies have actually rewarded employees that discover work-arounds that expose security flaws in order to bring them to light and fix them.
The most important thing companies can do is to put the right security measures in place, and follow up by providing proper employee training. The more critical data an employee has access to, the more important training becomes. Those persons in accounting, human resources, legal, personnel, account management, as well as various levels of management may have access to a higher level of data flow than others within the company. This is where your biggest vulnerabilities lie.
It’s a fine balance between security and productivity for the day to day workflow.
The goal is to limit who has access to what data, as well as to determine why a person needs the data he/she has requested. Tools and procedures to consider implementing include:
- System wide encryption
- Inspection access controls
- Password management
- Authentication
- Device recognition
- Data disposal
- Transparency
The battle to fight data breaches starts from the inside. While it’s important to secure all data from threats both inside and outside of your organization, it’s equally important to do so in a way that won’t hinder your employees’ progress. There is a fine line to balance all of your efforts. Want to talk more? I’m happy to share my ideas.
