Corporate cyber security efforts are often geared to address the threat of outsiders trying to hack into your network, or malware that's floating around the Internet that could harm your systems or data. But the biggest security threat may be your company's employees unwittingly exposing your network and data to much greater danger than an outsider ever could.
How do you protect against this threat? In an interview with The Enterprisers Project, Salo Fajer offers some advice. Fajer is chief technology officer of Digital Guardian, a cyber security firm based in Waltham, Mass.
The Enterprisers Project (TEP): Internal security threats are often overlooked by companies. What do IT leaders need to pay attention to that they aren't?
Fajer: Today's businesses, regardless of size or industry sector, are more digitally connected than ever before. In an average workday, employees will log onto online services such as Gmail, Dropbox, online banking, shopping and social channels. They will store sensitive documents on USB drives and cloud storage services, and send confidential files to the nearest printer. These are everyday practices that companies overlook as standard workflow without realizing the immense cyber security risk employees are causing.
A survey by the SANS Institute confirmed that insider threat is a key concern for IT security professionals. But of the 770 businesses polled, 32 percent had no systems in place to protect against insider attacks, while 44 percent could not say how much they spent on preventing internal threats.
IT leaders must pay attention to safeguarding sensitive business data against internal threats, just as much as they do with external attackers. To do so, they must implement proper technology, such as data loss prevention software, to catch internal threats before they become a bigger issue.
TEP: Internal security threats aren't always malicious, but what are some cases where an employee might accidentally cause a security breach?
Fajer: Employees, at the end of the day, are only human — mistakes will happen. It's not uncommon for an employee or third party contractor to accidentally send an email to the wrong cached email address, misplace a USB stick with sensitive data stored on it, or click on a targeted spear-phishing message. Additionally, employees may handle sensitive information without even knowing it, due to mislabeling of files or improper restrictions placed on such data. With no harm intended, these actions can place a company's most sensitive information in the hands of the unknown.
Companies of all sizes can take several steps to prevent these sorts of security breaches. To begin with, as a preventive measure, implement data loss prevention technology that will help prevent the loss of sensitive data should these breaches occur. Ensure an up-to-date Acceptable Use Policy is read by the employee, signed and adhered to. These policies outline the proper handling and use of sensitive business data.
From there, provide ongoing training and get top-down buy-in to demonstrate how seriously the organization takes data protection. Lastly, make sure the right levels of protection exist for sensitive corporate data and continuously revisit the lists of who has access to what. Passwords, multi-factor authentication and encryption should all be used depending on the sensitivity of the information.
These security measures need to be combined with regular reviews of the access privileges of employees. Grant access to systems, applications and data based on the minimum required by their position and let them know additional access can be granted if necessary. Similarly, be sure to terminate access that is no longer needed or scale back access once a project is finished.
TEP: Some security breaches are intentionally caused by disgruntled or dishonest employees. What are the best practices for preventing these sorts of breaches?
Fajer: One of the best practices IT can embrace is to be vigilant. Monitor for any behavioral changes and report any red flags. For example, is the employee accessing data at odd times, such as on sick leave, off-hours, or during vacation? Other suspicious activity might include an employee complaining more or being less cooperative than usual, and taking an interest outside the scope of his or her responsibilities. Other employees are often the first to notice if something is off, so having an open communication channel in place for reporting these concerns should be a priority.
Secondly, when an employee leaves the company, this should automatically set off a series of security measures. Even if the parting is amicable, employees leaving the company may be tempted to take information with them to their next employer. Immediately terminate all employee accounts. Remove them from all access lists, and ensure departing employees return all access tokens and any other means of access to secure accounts.
TEP: In every company, there's a delicate balance between too little security and alienating employees with too much security and possibly causing them to circumvent employer systems altogether. How do you create an effective security system that employees will willingly accept?
Fajer: The following point should be understood across the board: The company reserves the right to monitor all activity on company-provided equipment and networks. A clear Acceptable Use Policy takes the guesswork out of what is appropriate use of the organization's data. Once the policy is in place, employees must be educated and trained. Lastly they must officially agree to it and abide by it. This process is important in fostering a sense of accountability within the workforce.
Ultimately, while employees may prefer the convenience of personal online services such as Gmail, DropBox, or social channels during work hours, the company's security is far more important than anything else. For this reason, employees should understand and adhere to company policies, and it's up to the company to have clear rules and continuous training in place so every staff member is up to speed on security.
TEP: Any other advice for CIOs about dealing with insider security threats?
Fajer: Guarding against insider attacks is a fine balancing act. A business must maintain a happy, productive workforce but not an "anything goes" attitude. Technology solutions can set the parameters for access privileges but this is only one part of the solution. Employees need to know what constitutes acceptable information sharing and know how to sound the alarm if something is amiss.
Salo Fajer is chief technology officer at Digital Guardian, driving the company’s strategic vision and core innovation efforts while also overseeing product management, product marketing and product content development. He has over 25 years of experience in the industry, having held diverse technical leadership roles in product management, operations, consulting, and sales engineering.
