With all of the press about cyber-attacks from China, hackers in cabals in Eastern Europe, and the prevalence of phishing attacks, it’s easy to lose sight of the fact that insiders remain a significant threat to your corporate crown jewels. The Experian 2015 Second Annual Data Breach Forecast predicts that employee mistakes will be a top threat to companies in 2015, and one that will fly under most companies' radars to boot. As they point out, insider data loss can either be malicious, with a disgruntled employee taking or selling sensitive corporate data, or inadvertent, through human error.
The least expensive means to deal with insider data loss is not to have it in the first place. While it’s impossible to avoid all insider data loss, here are 5 tips for deterring insiders from taking or losing data:
1. Establish an Acceptable Use Policy
Be clear about what is acceptable use of the company’s data and information and what is not. Be clear that the organization reserves the right to monitor all activity, whether personal or private, on company-provided equipment and on corporate networks. The SANS institute offers a sample Acceptable Use Policy that is available without copyright restrictions.
2. Train employees on the Acceptable Use Policy
Educate employees on the Acceptable Use Policy during the onboarding process, and require that they sign a statement saying they have received the policy. Provide ongoing training for all employees on the policy. The Acceptable Use Policy is the police car with a radar detector: it causes employees to slow down and consider their actions.
3. Remove temptation
Ensure that sensitive corporate information is protected appropriately with passwords or multi-factor authentication, and, for the most sensitive information, encryption. Operate on the principle on least privilege, in which employees have access to applications and data only as required by their position. Conduct regular reviews to ensure that employees least privilege is being appropriately maintained and terminate accounts that are not required for employee duties.
4. Provide a means for employees to conveniently report suspicious activities
Employees who maliciously steal corporate information often change their behavior. They complain more, are less cooperative, and are generally disgruntled. They may start taking proprietary material home, show interest in matters outside the scope of their responsibilities, or access the computer network while on vacation, on sick leave, or at odd hours of the night. Training employees to spot this behavior and giving them a means to report these changes in behavior or other suspicious activities is helpful in identifying employees who are a risk for stealing data.
5. Be especially vigilant when an employee leaves the company
Even if the parting is amicable – and often it is not – employees leaving the company may be tempted to take information with them to their next employer. When an employee leaves the company, immediately terminate all employee accounts. Remove employees from all access lists, and ensure they return all access tokens and any other means of access to secure accounts. Remind departing employees of their legal responsibilities for data confidentiality and provide them with a copy of any employee-signed confidentiality agreement.