Protecting sensitive information and intellectual property, be it from malicious or disgruntled employee’s stealing data, or those unintentionally violating data use policies, should be a priority for all organisations.
Disabling outdated user accounts when employees exit an organisation, implementing policies with privileged account passwords, updating them regularly and limiting access to corporate systems, are all crucial to keeping data secure.
Passive human error through carelessness in the practice of sensible security, or simply not adhering to security policies is one thing. Employees holding grudges perhaps due to increased workload, or insufficient pay, or those made redundant, is most certainly another.
Whether it be a lackadaisical attitude toward security, or an act of intent, both can be equally significant, with potentially catastrophic implications to an organisation.
Whilst we might assume that the majority of staff within an organisation are honest and trustworthy, the ‘insider threat’ is ever present. Whether it be a deliberate malicious attack, negligent behaviour, or purely a lack of policy control over corporate data, the risks are munificent.
Whilst many organisations are prepared for security attacks, with processes in place to ensure security on their own systems, few employers expect their employees/ex-employees to steal their company data.
Following the Edward Snowden revelations in 2013, IT departments are now tasked with monitoring and awareness of potential insider threats.
Though Edward Snowden’s work with the CIA and other US intelligence agencies put him in the position of a highly trusted employee, this trust provided him with everything he needed to accomplish what he set out to do.
There were no measures in place to stop him and prevent what was quite possibly the biggest information leak in the history of the US.
The insider may seem innocuous, but they are a viable threat to any organisation with valuable information such as payment card, intellectual property and proprietary business data.
Threats can come from employees in the office, former disgruntled employees, contractors, or any other business associate that has authorised access to corporate data.
The risks come from those that intentionally misuse their access to data and use it to cause a negative and detrimental impact on the confidentiality and integrity of sensitive information.
Whilst insiders pose a massive risk to the security of company intellectual or digital assets, it also presents some huge challenges to the management of staff, and the security protocols and policies that must be in place to protect sensitive information.
Passwords alone are inherently insecure, and should not be solely relied upon. Multi-factor authentication such as voice, retina or biometrics alongside existing password controls will tick a box in a long list of vulnerabilities to secure.
Education and awareness are also critical in understanding a business’s operating environment, and applying the necessary policies to effectively mitigate the risks.
There is no one-size-fits-all approach when it comes to formulating a security policy; it needs to take into account new developments, disruptive technologies and the ongoing evolving, sophisticated nature of cyber attacks and insider threats.
Data on the move
The challenges of BYOD (bring your own device) and flexible working further exemplify the issue of data privacy and security. If an ex-employee holds a grudge against an organisation, for example, given the time and the inclination, they could very easily compromise sensitive information if the access via personal devices is not restricted.
Companies can no longer shy away from the increasing number of employees working from home and on the move, from a myriad of devices, both personal and company managed.
With the flexibility of being able to work remotely from almost anywhere, businesses are required to trust their employees and rely on them taking the right precautions to keep sensitive information secure.
The outside malware risks might be obvious to an organisation, but the threat from inside can easily go undetected if the correct information security policies are not in place to govern the behaviour of employees working remotely.
If data isn’t encrypted, its integrity can easily and quickly be compromised. Employers need to be able to manage and track it. Knowing who’s accessed it, from what location, and on what devices that information resides is essential.
Whilst this can be difficult across a fragmented IT environment, companies need to be confident that if a device is considered to be compromised, they can remotely lock it down, wipe it, or initiate a self-destruct sequence to remove the data, whether in transit or at rest, to protect themselves and their stakeholders.
As more and more employees work from increasingly disparate and varying locations, a key element of any security policy should seek to protect the data on those devices and state that only password protected USB devices should ever be used to store corporate data.
If not, sensitive data can easily be stored and used at a later date, when a former employee might want to seek his, or her, revenge.
Don’t let go
Having to ‘let go’ of staff is never an easy task, but organisations need to ensure that if they are faced with the prospect of firing an employee, they don’t let go of their data security in the process.
Permissions, privileges and email should be cut off almost immediately. Access to sensitive or important documents such as customer contact lists should be limited to avoid the potential for these to be copied and used/passed on at a later date.
Ensure you can account for and collect any devices that may have been issued such as mobile phones, tablets, laptops, proprietary software or data, failing to do so could have detrimental repercussions.
The challenge for the future is to ensure intellectual property and sensitive data remain secure. Account passwords need to be updated, user accounts of former employees deleted, and access to VPNs and email systems revoked.
Organisations need to act now before our data security gets the sack for being too slack.
Sourced from Nick Banks, Imation Mobile Security