In a recent Digital Guardian article, 47 security consultants were unanimous in saying that insider actions were a more significant threat to your data than being hacked by outsiders. Insider data leaks happen more often, and they have a higher potential to be catastrophic than outsider attacks.
Most incidents are non-malicious and happen through ignorance or by accident.
Your top priority must be to protect your company from the massive financial and reputational consequences of any insider data theft.
1. Develop a security culture
You can’t be everywhere, and your company’s security comes down to employees seeing it as essential, rather than something to try to find workarounds for. Each individual must take responsibility for his or her own actions and those of their fellow team members. Individuals should act if they see another employee about to do something wrong.
Prevention is the best approach:
- Prevent downloads – Block off any USB or SD card slots on any devices that access your company network
- Set up a system that allows anonymous reporting of fellow employees – You can then investigate any suspicions and decide if they warrant further actions
- Install screen recording software that monitors every screen in your company – You won’t be able to watch in real- but you’ll be glad of the recordings if the worst ever happens
- Ban private cameras, phones, tablets and laptops from your premises – If you allow employees to make some personal calls on their work phones this will take much more acceptable
- Block websites that would enable online screen recordings – Warn any employee who attempts to access a banned site
- Use thin client workstations for all staff, including managers and executives – These have no hard drives which will make it harder for employees to download malicious software to your network
- Ban video or audio calls where client data is visible or might be overheard – Video calls might show confidential data in the background which you might only hear about when it hits Twitter
- Bar anyone from taking work home – Data theft over insecure networks is too big a risk to take
- Provide everyone with a company email address and block public email networks such as Gmail and Hotmail – You can secure your company email servers and remove the possibility of someone clicking on a malicious email link
Staff will accept these security measures when you make clear that the company’s existence depends on total data security. Make any breach a severe disciplinary issue that could lead to termination of employment.
This Information-Age article goes into greater detail on establishing a cybersecurity culture in your company.
2. Kill BYOD
A ‘Bring Your Own Device’ (BYOD) policy might save your technology budget, but represents an unacceptable risk of data leakage. Employees’ tablets and phones could be used by family members who would then be able to access any company data on the device.
Provide mobile devices to those who need them and ensure all files are encrypted. Use encrypted cloud storage services rather than allowing storage to local hard drives and disks.
3. Love your employees
“My employees should be grateful for a job” is an attitude that will ensure they reciprocal belligerence and negativity.
You are buying someone’s time when you give them a job; you don’t buy their soul. And you definitely don’t buy loyalty.
Loyalty needs to be earned, and the way to do that is to respect each person on your payroll for their individuality and experience they bring to your operations. If you respect employees, they are more likely to respect your business and cooperate in security matters.
4. Install snort
Snort from Snort.org, lets you detect unusual activity on your network that might be the precursor to an employee running off with your database.
Snort’s cost is well worthwhile and it will more than pay for itself if it detects just one disgruntled employee before he or she does any damage.
5. Get an assessment from Bulletproof
You might be able to sleep at night when you have put all the steps above in place, but would your confidence be justified? How do you know you are safe?
The only guaranteed way to judge the efficacy of your precautions is to pay someone to test them.
You could pay a freelance hacker you find online to try to get into your computers, but you have no way of telling how good the hacker is. Nor do you know what he or she will do if they manage to breach your defences. Will sell what they found to another hacker or publish your vulnerabilities for all to see?
A professional security assessment from a reputable company like Bulletproof (bulletproof.co.uk) will come at a significant cost, but you will know your data is safe.
If you treat a professional vulnerability assessment as insurance, its value becomes apparent. Having a security consultant visit your premises and check your physical and network security is the only sure way you have to guarantee against insider data theft.
Long story short
You can do a lot to protect your business from insider data theft by instilling data-security as part of your company culture. However, once you have done everything you can think of, you need to pay a professional to see just how secure you are.