While it’s often assumed that the biggest threats to your company’s cyber security are from the outside, you’d be surprised to learn that the majority come from insider threats. In fact, a survey last year found that 94% of businesses had experienced a data breach from within the business. This includes contractors, former employees, current employees, and anyone who has access to sensitive information or company systems.
Worryingly, this trend is only getting worse, costing businesses more and more money each year.
The common types of insider threat to watch out for include:
- Negligent employees – A purely unintentional act from an employee who may accidently give out a password or respond to a phishing attack.
- Disgruntled employees – Didn’t get that promotion? Felt mistreated during their tenure at the company? While not common, some employees do leak sensitive information after leaving a company.
- Partners/third party vendors – This can be either accidental or intentional.
- Corporate Espionage – While very rare, employees or ex-employees may steal company data and/or secrets in the hope that they can sell that information for money.
The good news is that the majority of these breaches can be avoided with proper internal training. It’s always best to arm yourself with an internal toolkit to reduce the risk of cyber security issues before they need to be escalated.
Here are some of the most effective ways you reduce your exposure to insider threats.
This might sound like a broken record, but changing passwords is absolutely key to keeping much of your data safe. Encouraging your staff to do it is step one but putting it in as a requirement is the best approach. Ensure your IT department set limits on how long a password can be used for, and block access to employees who haven’t changed their passwords in a set time frame, we recommend three months as standard.
Further to this, create a simple document with the names of who has access to each password. For example, if there is a particular place in a company’s drive with sensitive information, ensure nobody blurts out the password to anyone who asks.
Always wipe tech before handing it over to a new employee
This is a big one, and it happens more often than you think. Remove the employee leaving from the list of authorised users and disable access to any cloud drives to which they may be signed in. Wipe the laptop clean of any local data after signing out of all drives and remove access to ensure that no data is left on there for future employees to exploit.
Focus on the basics
No one expects all employees to know how to code but teaching them good IT practices goes a long way in protecting your business from cyber threats. Out-of-date software, for example, is the source
of a staggering number of cyber-attacks, so inform your employees of this and send regular emails reminding them to update their apps and software systems.
Users should be taught how to create strong passwords, how to detect phishing and malware in e-mails, and the importance of privacy and data security best practises. Clear procedures to follow in the event of a breach can aid in mitigating the consequences
The thing you hope you’ll never have to deal with – sabotage
I know it sounds farfetched, but it does happen. Ex or disgruntled employees can turn against their old company and share sensitive data to outside sources. Employees who are dissatisfied with their jobs may use sensitive information to harm the company’s reputation by exposing it to the public or selling it to competitors. They might also delete or alter sensitive data or sabotage key systems. Maintaining a positive company culture is obviously the first step to preventing this. From an IT perspective, try to make sure that any potentially resentful employees don’t have the opportunity to cause problems, including removing their access to sensitive areas.
While there are so many other steps that your IT department can take to protect your business from insider threat, these are key to ensuring the whole business works together to minimise the risk.
Think your team might be due a cyber security refresher? Get in touch today to hear more about our cyber-awareness training.