So far we’ve looked at the types of malware plaguing businesses from a few angles, including phishing attacks and ransomware. Just when you thought you had been sufficiently scared to open your laptop, along comes yet another major threat, particularly to small businesses.
Generically termed “insider threat,” this very real risk to businesses is caused by a current or former employee, a contractor, vendor, or any other individual associated with the organization with access to company data. Insider threat occurs when these people, whether knowingly or unknowingly access confidential information or corrupt files. And the problem is larger than you might think, with a fairly recent report indicating that roughly 25% of breaches are a result of insider threats.
These threats come in a variety of forms, with some of the most common being:
- An employee is a victim of a phishing scheme
- An employee opens a malicious email
- Lost laptop or USB devices with company data
- Insufficient vetting of employees
- Employee taking advantage of database access privilege
- Introduction of a corrupted device to the company network
So, how can you block these threats – whether perpetrated either through orchestrated malicious intent or by an innocent click on an illicit link?
A robust culture of security awareness should be at the core of any business; there is too much to lose both financially and reputation-wise in the aftermath of a network breach. Enter the employee security policy.
An employee security policy should include procedures to prevent and detect misuse, list guidelines should an investigation be needed, and underscore the potential consequences of misuse.
The policy should be comprehensive regarding actions that are unacceptable and include language clearly stating that intentionally compromising access to resources, data or removing sensitive data is a banned activity.
A security policy should specify who in the organization is allowed access to specific data and also who they’re allowed to share the information with. Make sure every employee has read, understood, and signed the policy. Network security is a serious matter, to put it mildly. Your policy should spell out a clear set of procedures and penalties for breaches. A policy that is wishy-washy about compliance is tantamount to no policy at all.
Take into account that a security policy is not necessarily a “one and done” effort. Employees come and go, data becomes outdated, new security threats rear their ugly heads. A security policy is a fluid breach control mechanism that should be updated regularly and with each update, staff members should be informed of any changes.