When you think about protecting your business from security threats, you’re probably picturing external threats, like hackers. But insider threats can be just as big a concern. 51% of business owners worry about accidental insider security breaches and 49% worry about malicious insider security threats. Although most of your employees will have your company’s best interests at heart, you may have good cause for concern.
There are two types of insider threats. The first is accidental. In this case your employee falls for a phishing email. The result may be a data breach, an information disclosure, or malware in your network. Although unintentional, these threats create real risk and could cost you money or reputation.
The best avenues to combat these threats are education, communicating technology policies often, and keeping security front of mind with fake phishing and regular reminders about current cybersecurity threats.
Then there are threats where the person involved has more foresight and malicious intent. The people could be employees, former employees, and others with access to your organization. When they engage in fraud, theft and/or the sabotage of your systems and information there can be horrendous outcomes. Few business leaders like to think about these insider threats but ignoring them will leave your business more vulnerable. Executives and owners need to control their risk and mitigate threats and vulnerabilities as much as possible.
Create clear-cut security policies
All your existing employees and any future employees can benefit from a document that details your security policies. The type of policies you include will vary according to the nature of your business. However, we will use emails as an example, for which you may provide your employees with instructions to avoid opening links or attachments from unknown email addresses. When policies are documented clearly and shared for easy reference, negligent insider threats are less likely to happen.
Generate different levels of access
Depending on the size of your business, it’s unlikely that employees at all levels need to access the same type of information. Of course, it’s easy to state that all employees can access the same information and make them sign an NDA. However, the greater the number of people that can access information, the more chances there are for errors and oversights to occur. Instead, create access levels that are granted on a need-to-know basis. If an employee doesn’t need to know something, they shouldn’t be able to access that specific document or secure server.
Document termination procedures
Presumably, you performed a background check before hiring an employee. You probably checked references and also used a little intuition when choosing to bring someone aboard. However, when that person resigns or is asked to leave, a clear-cut list of job termination related tasks should begin immediately.
A termination checklist is very important. Some departures are simple but many have more complex connections to your firm’s electronic assets. Make sure you remove their name from any physical access lists, remove key card access, change locks or door codes they had access to, change passwords and disable accounts for systems or application they used, remove their work email account and associated emails from their personal mobile device (if company-owned and accessible), notify your team and any clients the employee serviced, and notify all of your service providers, too.
And, remember, just because a former or current employee has an admin password to your systems, they do not have implicit authorization to access those systems. You have recourse with local and federal law enforcement for any unauthorized use of information, even when you slip-up on removing access and changing all the right passwords.
Mitigating insider threats involves ongoing effort and some expense, but it pales in comparison to the possible damage an insider incident can do to your company checkbook and reputation. Be proactive and defend your livelihood with an uncompromising posture on cybersecurity and physical security.