Employees can be your biggest asset. If not managed properly, they can also be your weakest link. The trick lies in empowering them to do their jobs properly using the technology at their disposal, while preventing them from making mistakes with your data, or simply going rogue and causing intentional damage.
Using a mixture of process, policy and technology, you can maintain an efficient, secure workforce that won’t mishandle valuable information. This article shows you how.
Earlier this year, HANDD Business Solutions surveyed over 300 IT professionals in the UK about their information security concerns. 43% of them said that employees were their company’s greatest asset, but 21% also said that employee behaviour was the biggest challenge to data security.
When employees make mistakes or intentionally go bad, the results can be devastating. We have seen an employee at BUPA take customer information related to 108,000 health insurance policies from the company. An IT worker at Expedia accessed confidential information. We have seen other insider-related breaches at T-Mobile and elsewhere.
Employees can create problems for companies intentionally or by mistake. In most cases, the results are the same: reputation damage, lost sales and the potential for regulatory fines. Driving a culture of security throughout the company is essential, and employees are an important part of that. Doing it properly takes a multi-layered approach involving both employee awareness initiatives and technical measures.
Here are five things you can do to help prevent malicious or misguided insider threats.
Designate your employees
You can’t protect data if you don’t know what it is and who has access to it. Begin by define roles and responsibilities for those in your organisation and for third parties with access to your systems. By understanding what their responsibilities are, you can assess their rights to access varying types of records and files. A junior executive may not need to view your entire customer list, so why let them access it on your networked storage – or worse still, copy it to a USB key?
Defend your data
Armed with a clear understanding of how different files and records map to different employee roles, you can use technology to control their access. Data classification is an important part of this picture. Modern data management tools enable companies to tag files and records with metadata describing its properties. These can include its level of sensitivity and who handles it.
Identity and access management (IAM) tools can use this metadata to automatically enforce access policies for each user. IAM tools will apply least-privilege access to employee accounts, blocking data that they are not authorised to use.
Your employee security doesn’t stop there, though. Even authorised employees can act inappropriately. Use other technology controls to prevent unwitting or intentional violation of data security policies.
Data leak prevention software is one useful technology measure that can recognise data in a sensitive format when it crosses critical touchpoints within a company. Administrators can use it to stop employees from copying it to removable drives or emailing it somewhere.
Train employees in company processes
Don’t rely entirely on technology to enforce your security processes for you. Employees need education to be truly effective data security advocates. Train them in classifying your data properly to ensure that they label it appropriately.
Train them in spotting ‘soft’ security threats that can derail even the tightest technology protections. Attackers use social engineering attacks ranging from phishing to phone calls. They are experts in persuading employees to give up their passwords or send company funds to fraudulent accounts.
Engage employees
Across the land, companies are delivering dry cybersecurity awareness lectures to bored employees in airless rooms. These initiatives couldn’t fail harder if they tried. To really get employees on board, managers must rethink employee engagement and deliver engaging content that inspires.
Inspiring employees is a challenge with cybersecurity education, which can feel like dictatorial finger-wagging if mishandled. The key is to understand employees’ own processes and minimise the negative impact of cybersecurity measures on their daily jobs. Talk to employees in their own language, and listen to them as they describe their daily working patterns.
Relate cybersecurity to employees’ everyday lives. An employee who understands what can happen when they mismanage their own digital information will more readily appreciate the need for secure processes in the workplace.
Test your training
Finally, don’t make employee awareness initiatives a ‘fire and forget’ exercise. It is easy to overlook the training and lapse back into old patterns. Routinely reinforce their cybersecurity education with refresher sessions, emails and perhaps even posters. Make sure that departmental and mid-level managers enforce these policies as part of their jobs, leading by example.
Test what employees have learned with live-fire exercises. Some consultancies will phish employees for you to see who takes the bait, for example. Consider folding security compliance into performance reviews, but don’t make poor performance a blame game. Encourage, don’t chastise.
Armed with these measures, companies can maximise employee productivity without risking any data mishaps. Don’t spend your time worrying about insider threats. Instead, create a culture that encourages everyone to protect their employers’ best interests.
[su_box title=”About Danny Maher” style=”noise” box_color=”#336588″][short_info id=’101698′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.