When you think about protecting your company’s confidential data, more than likely you’re considering the threats that come from outside the walls of your building. As you should. But how well are you protecting your company from internal threats?
It’s not something you want to think about. After all, for many companies, employees are like family. But statistics bear out the need to implement security measures that protect your business against internal threats.
According to one report involving the health-care industry, more than 9 out of 10 data breaches (impacting 500 or more people) were linked to the organizations’ own employees — not by hackers.
Another recent survey revealed that 73 percent of companies have been impacted by internal information security incidents. It also showed that employees were behind most of the confidential data losses companies experience — 42 percent of those cases. The IT Security Risks Survey, which was conducted by Kaspersky Lab and B2B International, points to a combination of issues — including accidental data leaks (28 percent) and intentional leaks (14 percent) of company data; the loss or theft of employee mobile devices that contained company data (19 percent); and employees’ use of company resources for personal purposes (15 percent).
The cost of employee’s fraudulent activities? About an average of $40,000 for small- to medium-sized businesses, and more than $1.3 million, on average, for enterprise business.
When developing a security plan that takes into account potential internal threats, consider the following tips:
- Restrict access rights. Limit the number of people who have access to confidential information as well as IT equipment.
- Educate your employees. Don’t take it for granted that your employees understand the complexities of network security and protecting the company’s confidential data. Spell it out verbally and in writing.
- Establish a mobile device security plan. Make sure mobile devices are as secure as desktop equipment. Also develop a BYOD (bring your own device) policy if you’re finding that employees are using personal equipment to perform work tasks.
- Clearly communicate penalties for security or confidential data violations. Be prepared to follow through in the case of a documented violation.