When you think about protecting your business from security threats, you’re probably picturing external threats, like hackers. But insider threats can be just as big a concern. 51% of business owners worry about accidental insider security breaches and 49% worry about malicious insider security threats. Although most of your employees will have your company’s best interests at heart, you may have good cause for concern.
There are two types of insider threats. The first is accidental. This means your employee may negligently cause a data breach, disclose information where they shouldn’t, or allow malware into your network by falling for a good phishing email. Although unintentional, these threats create real risk and could cost you money or reputation.
The best avenues to combat these threats are education, communicating technology policies often, and keeping security front of mind with fake phishing and regular reminders about current cybersecurity threats.
Then there are threats where the person involved has more foresight and malicious intent. This involves employees, former employees, and others with access to your organization who engage in fraud, theft and sabotage of your systems and information. Few business leaders like to think about these insider threats but ignoring them will leave your business more vulnerable. Executives and owners need to control their risk and mitigate threats and vulnerabilities as much as possible.
Create clear-cut security policies
All your existing employees and any future employees can benefit from a document that details your security policies. The type of policies you include will vary according to the nature of your business. However, we will use emails as an example, for which you may provide your employees with instructions to avoid opening links or attachments from unknown email addresses. When policies are documented clearly and shared for easy reference, negligent insider threats are less likely to happen.
Generate different levels of access
Depending on the size of your business, it’s unlikely that employees at all levels need to access the same type of information. Of course, it’s easy to state that all employees can access the same information and make them sign an NDA. However, the greater the number of people that can access information, the more chances there are for errors and oversights to occur. Instead, create access levels that are granted on a need-to-know basis. If an employee doesn’t need to know something, they shouldn’t be able to access that specific document or secure server.
Document termination procedures
Presumably, you performed a background check before hiring an employee. You probably checked references and also used a little intuition when choosing to bring someone aboard. However, when that person resigns or is asked to leave, a clear-cut list of job termination related tasks should begin immediately.
It’s not always as simple as disabling an account or taking possession of their laptop, so employing a checklist may help ensure it’s all covered. Make sure you remove their name from any physical access lists, remove key card access, change locks or door codes they had access to, change passwords and disable accounts for systems or application they used, remove their work email account and associated emails from their personal mobile device (if company-owned and accessible), notify your team and any clients the employee serviced, and notify all of your service providers, too.
And, remember, just because a former or current employee has an admin password to your systems, they do not have implicit authorization to access those systems. You have recourse with local and federal law enforcement for any unauthorized use of information, even when you slip-up on removing access and changing all the right passwords.
Mitigating insider threats involves ongoing effort and some expense, but it pales in comparison to the possible damage an insider incident can do to your company checkbook and reputation. Be proactive and defend your livelihood with an uncompromising posture on cybersecurity and physical security.