While companies that fall prey to major hacks have become daily headlines, few people realize that a significant portion of these data breaches are from internal employees, not outside threats. Many data breaches come from inside the company, and half of those times the breaches are malicious rather than accidental.
According to market research, Swiss companies are on average investing every 8th Franc of their IT budgets in security. However, the vast majority of those investments are aimed at keeping the company safe from external threats. But what about internal risks?
Here are the top 7 actions for making sure your company is safe from internal hacks and data breaches.
1. Monitor Your Company’s IT “Baseline”
A custom monitoring system can be implemented that adjusts to your company’s “baseline” activity and alerts you to anything out of the ordinary. For instance, this system could alert you to any application or user that accesses data they are not supposed to. It could also alert you to suspicious increases in network traffic or file transfers, which could indicate someone is transferring data out of your system. These solutions need to be custom-tailored to your organization. At Swiss FTS, we have a capable team ready to implement a custom monitoring system for you.
2. Secure All Communications
Employees often use dozens of applications throughout the work week that require login and authentication. If the connections to these services are not encrypted, everyone in the network can get access to everyone else’s credentials. (If applications are hosted externally even people from the outside can get their hands on the credentials.) This is why all communication with applications and services should always be encrypted, using SSL or other encryption technology. Single-sign-on (SSO) technology can further assist your IT team in making sure that all employees are using secure logins. SSO can make using secured channels so much easier that your employees don’t even notice that they are using them.
3. Raise Employee Awareness Through Training
Employees should be trained to spot the major types of attacks and risks, both external and internal. For example, employees should be trained to never execute programs that come from unknown or suspicious sources. Likewise, they should be trained in detecting phishing and other malicious sources. Employees should be trained to not plug in USB thumb drives or other devices that they found somewhere or received from unknown sources; they should either discard such found USB devices, or bring them to IT for testing in a secure environment. Employees’ awareness for social engineering should also be raised, so that they don’t give out confidential information to a random person that claims to be a director from another office, for example. It is important to have quality trainings on these topics for your employees.
4. Make Sure Each Employee Has Access Only to the Data They Need
Implementing an access-control system will dramatically reduce the risk of internal data breaches, as each employee will have access to only a fraction of the company’s data, on an as-needed basis.
5. The 4-Eye-Principle
For changes in system and security settings, and also for provisioning access rights, your company should follow the “4-Eye Principle”—that is, two people should be involved or witness changes to any of these system-wide settings. Selecting the wrong checkbox or moving a security policy to the wrong location can have a severe impact. Imagine, for example, that a temp worker unintentionally received domain administration rights. This type of potentially-catastrophic incidents can be minimized if two people are involved in any major change of settings.
6. Segregation of Duties
It is surprisingly common, especially in smaller companies, that one administrator has full control over your whole IT. This is a dangerous situation, because that one person could take down your whole company. We recommend that you segregate critical systems and have them administrated by different people. This will make your IT infrastructure far more secure and robust.
7. Bring the Whole Company to the Table
Security isn’t just an IT topic. It involves the whole company. This includes management, HR, sales, legal, etc. It is important that all stakeholders realize this and work together towards the goal of better company-wide security, because it doesn’t make sense to invest large sums of money in sophisticated security infrastructure, if employees don’t accept or use them properly. We recommend that you don’t just focus on the IT aspect of security, but also the company-wide culture of taking security seriously and employing proper security measures at all times.
During our work in IT Forensics we often see that the above actions are not implemented properly. That can lead to security incidents which can have a severe impact on your operations. Having gone though the process of setting up an Information Security Management System (ISO 27001 Certificate) we will gladly share our experience with you.