VP of Marketing Amy Cook and Director of Operations John Lawton were featured in Forbes in Amy’s article entitled, Why Your Employees Might Be The Biggest Threat To Your Growing Business (And What To Do About It). This is one you won’t want to miss!
Have you ever been the victim of a hacking attack? I have. One of my first website designs many years ago fell prey to an online hacker. “Better do a better job with your security,” the hacker gloated in a personalized message he left just for me. I was angry, sure, but I was also scared that someone would do that sort of damage just for the fun of it.
While that kind of predatory behavior is threatening, the biggest threat to your business is most likely from your trusted employees — and even yourself. According to Veriato’s 2018 Insider Threat Report, which surveyed 472 cybersecurity experts, 90% of cybersecurity professionals surveyed feel their company is vulnerable to insider attacks, and about 50%have experienced at least one of these attacks in the last 12 months. Those surveyed chose regular employees as the biggest security risk for their company. As you can expect, a majority (94%) believe they should monitor employees to prevent these attacks.
Consider the recent example at Heathrow International Airport in London: Someone found a USB on the streets of London with all the airport’s security data. While it’s still being investigated, it appears likely that the USB drive was either accidentally dropped by someone with access to it (pure negligence) or deliberately dropped by someone with bad intel. Either way could be just as damaging.
These threats might be malicious, such as a salesperson sending confidential data to a competitor, but they’re just as likely to be accidental, such as falling victim to a phishing email, failing to protect networks or not using antivirus software on your computers.
What’s interesting is that — while most companies are using data loss prevention (DLP) software, encryption, identity and access management, endpoint security, intrusion detection and prevention systems, and log management to track data — companies seem to be doing a poor job tracking the user.
Here are three ways that companies, large or small, can reduce the threat of employee-triggered data breaches or hacks.
Prioritize a security strategy.
Make your security strategy a prominent part of system onboarding discussions. “People get fired up about performance and productivity, especially when companies bring in new systems and platforms like any sort of ERP or CRM system,” said John Ryan, CMO of Crossfuze, a client of ours. “Companies are looking for those performance and production gains … what adds to the bottom line. They haven’t thought through the security aspect in a comprehensive way in the beginning. In many cases, they end up scrambling.”
Companies can become especially vulnerable to breaches, hacking or a cyberattack when launching a new system. If you’re going to deploy any kind of enterprise service management, ERP, SAP or CRM system, step back before implementation and first consider what the security system plan will be. Make security a part of your strategy from the very beginning. For example, when we monitor our clients’ websites, we have a thorough process in place to ensure that we develop, launch and then update the site regularly with the latest security updates. This includes installing weekly security patches and monitoring the websites around the clock.
Consider outside services.
There are some new AI systems that track users and look for unusual patterns. “Think credit card fraud detection but for users and data management,” said my colleague, John Lawton, CTO of Simplus. “They are then tying this to the human resource information system to do predictions on flight risk for individuals and groups. This not only allows you to monitor the data and the user, but it allows you to intervene early to retain users or monitor them to prevent data loss.” This saves on both employee churn as well as the loss of the data or IP.
For example, as part of his job, Bob in Accounting moves five sensitive spreadsheets each day to a corporate Dropbox account used by the company’s finance group. The software knows his normal routine, so it notices when he starts to put the spreadsheets onto a USB drive, too. The software communicates this change by raising his employee risk score, which his company created for this very purpose, and alerting the security team. The security team — comprised of humans — then must investigate further to decide if he’s copying these files to the USB because someone asked him to or whether he’s sharing them with someone outside of the company.
Track employee behaviors.
Many companies couple employee behavior with user-activity-monitoring software, which tracks a user’s online and communications activity. For example, there are a handful of UAM software options available, many of which include screen-capture capabilities that record everything on the computer screen. Some let you determine how frequently you capture the screen, from as often as every second to the default of every 30 seconds. It also includes video playback, which lets you see exactly what happened in context.
Some entrepreneurs (and employees) might question the legality of this type of employee monitoring, but as Mike Tierney, CEO at Veriato, wrote in a blog post last year, “Not only is it legal to monitor employees on their computers and online, there is no federal U.S. law that requires employers to notify workers they are being monitored.” However, Tierney also wrote that notifying an employee of the company’s right to monitor them can also serve as a deterrent to employees considering sharing sensitive data that doesn’t belong to them. Employees that know they’re being monitored would be much more careful with what they share — or even take with them when they leave.
Before you go out and buy a new suite of software, take the time to evaluate your options. Take steps now to put a robust security process in place. Augment it with employee-monitoring software, and you can rest easy knowing your data — and employees — are safe.