When considering cybersecurity strategies for data protection, guarding against external threats is usually the first on the list. However, headline grabbing cyberattacks account for only half of the root causes of data breaches according to the 2019 Cost of a Data Breach Report released by the Ponemon Institute and IBM Security. The rest are due to internal threats and system glitches.
The human factor is often hardest to control and predict when it comes to data protection. While some companies invest in employee training in hopes that a well-educated work force, aware of the financial and reputational consequences of data breaches, will be enough to increase vigilance and deter poor security practices. However, the truth is, in many case, organizations are only one careless employee away from a damaging security incident. There is also always the potential danger of malicious insiders, disgruntled employees that want to damage a company’s reputation or steal data on their way out of an organization.
But what are the most common internal incidents and practices that represent a threat to a company’s data security? Let’s have a look at the most prevalent five:
1. Social Engineering
Although technically an external threat, social engineering only works if someone inside a company can be tricked into revealing information. It implies that employees are manipulated into giving up passwords or other confidential information. Social engineering can take the form of attackers impersonating friends or other trusted sources and requesting sensitive information or unexpected offers and prizes from sought-after brands that contain or link to malware.
While antimalware and antivirus software can help flag these kind of malicious emails, social engineering is best dealt with through training. Employees must be educated in the many ways they may be approached by outside attackers and how they need to react when they receive suspicious requests. An understanding of social engineering is essential in preventing it. Training should also be put to the test to identify any potential weaknesses among employees.
2. Data Sharing Outside the Company
Employees sharing sensitive data either publically or with third parties outside the company can spell disaster. This usually happens out of carelessness: a reply all button is hit instead of a simple reply, information is sent to the wrong email address, something is accidentally posted publically.
These kind of incidents are rarely helped by training as they represent human errors which we are all prone to. Specialized software like Data Loss Prevention (DLP) tools can help organizations keep track of sensitive data and ensure that its transfer, whether by email or other internet services, is limited or blocked altogether.
3. Shadow IT
The use of unauthorized third party software, applications or internet services in the work place is often hard to trace by IT departments which is where the term shadow IT comes from. The reasons for the prevalence of shadow IT are fairly simple: employees use known applications out of habit, because they improve their efficiency and lighten their workload or are more user-friendly than company-authorized alternatives.
This is problematic because companies are, most of the time, unware that this is happening, essentially creating a blind spot in cybersecurity strategies. A further danger is the weak security of these third party services which can lead to data leaks or breaches, but also noncompliance with data protection legislation making shadow IT a legal liability as well.
Shadow IT usually signals a failure on the part of the company to provide employees with the right tools to perform their tasks. Organizations should have an open dialogue with their employees to understand their technological needs and try their best to meet them. DLP tools can also help companies prevent employees from uploading sensitive information to these unauthorized services and, by monitoring these attempts, to reach a better understanding of shadow IT within their organization.
4. Use of unauthorized devices
A lot of data protection policies focus on data transfers outside the company network over the internet and fail to consider another often used method: portable devices. USBs, in particular, have long been the bane of data protection strategies. Easy to lose or steal, but convenient to use, USBs have led to some disastrous data breaches such as the by now infamous Heathrow Airport security incident in which a careless employee lost a USB with over 1,000 confidential files, including highly sensitive security and personal information.
The easiest way to prevent this kind of breaches is to block USB and peripheral ports altogether. However, there is no denying USBs’ usefulness in the workplace. For companies who still want to use USBs, there are measures they can take to do so securely. Chiefly among them is the encryption of all files transferred onto USB sticks combined with a trusted devices policy which would allow only devices defined as trusted to connect to a company computer.
5. Physical theft of company devices
In today’s increasingly mobile work environment, employees often take their work computers and portable devices out of the office. Whether working remotely, visiting clients or attending industry events, work devices often leave the security of company networks and become more vulnerable to both physical theft and outside tampering.
Encryption is always a good solution to guard against physical theft. Whether it’s laptops, mobile phones or USBs, encryption removes the possibility that anyone who steals them can access the information on them. Enabling remote wipe options can also help organizations erase all data on stolen devices from a distance.
