Cyber-security: Minimizing Internal Threats
January 30, 2014
Like a magician’s sleight of hand, the barrage of headline news related to hackers and cyber criminals may divert attention away from the equally dangerous, but perhaps less obvious, threat to your corporate assets: employees. While trusted employees are moving, sharing, and exposing corporate data just to do their jobs, the malicious employee may be deliberately taking confidential information for personal gain or other nefarious reasons.
In today’s mobile environment, employees have the ability to move sensitive corporate data outside the organization by many methods, including:
- Emailing documents from workplace to personal email accounts
- Downloading documents to personally-owned tablets, smartphones, thumb drives, or other electronic storage devices
- Moving information to the cloud
To make matters worse, the data is rarely cleaned up, exposing the company to further risk, by failing to failing to take steps to delete the data. A multi-pronged approach can help minimize the risk of internal threats:
- Employee education. Employee training and awareness is critical. Many employees are not even aware that they are putting their employers at risk by moving or sharing company information across multiple media – while others simply do not believe that taking confidential company information if wrong. Create and enforce policies detailing the dos and don’ts of information use and provide regular security awareness training. Make sure that all employees are aware that policy violations will affect their jobs.
- Use and enforce non-disclosure agreements. Employment agreements should include specific language regarding the use confidential company information and the employee’s responsibility to safeguard such information. Conduct exit interviews with departing employees that include a review the non-disclosure agreement. Be sure to collect all company owned computers, tablets, phones, and electronic storage devices.
- Implement monitoring technology. Leverage technology to gain an insight on where company information is going and how it is leaving. Implement monitoring technology to notify management when sensitive information is sent, copied, shared, or otherwise exposed.