According to the Code42 Data Exposure Report 2019, of the 38% of companies that experienced a data breach in the previous 18 months, half cited employee actions as the cause. Insider threats are increasingly linked to serious data breaches, with cybercriminals exploiting human weakness over technological.
A strong cybersecurity strategy means not only having robust defences against external threats, but also knowing how to manage the risks your business faces internally.
Educate your staff
Even in the information age, you can’t expect everyone to know cybersecurity best practices right away. Invest in training so your staff know how to approach data protection in the workplace.
Make sure they fully understand how every precaution you take actively protects your business. From their first day, ensure they are fully informed about your cybersecurity policies and why each is necessary. Educate them about the possible consequences of a breach for the business and how they could be affected personally.
As your business grows and new measures are required to protect a larger infrastructure and more information, provide training for all employees about new policies and processes. Offer regular refresher courses to keep your staff up-to-date on the latest cybersecurity best practices.
Keep on top of your cybersecurity essentials
If you have comprehensive cybersecurity measures in place, your data is harder to compromise, unintentionally or otherwise.
It’s harder for criminals to break into a lost or stolen device if it is encrypted. It’s harder to crack insecure passwords if you implement multi-factor authentication. If you have safe backups of your data, you can recover anything that is lost or compromised. There are several small steps you can take to protect against inadvertent insider threats.
Combined with a proper education of why these steps are necessary, these simple measures create a solid foundation throughout your business for effective cybersecurity.
Have senior staff set the example for cybersecurity practices
Senior staff are likely to be handling incredibly valuable data which requires the utmost protection. If the people with the most important information are the ones bending the rules, the consequences of a data breach get exponentially more serious.
According to the Code42 Report, 65% of CEOs and 78% of CSOs admit to clicking on a link they shouldn’t have.
Employees are more likely to take your cybersecurity policies seriously if they see senior members of staff putting them into practice. It improves the overall cyber hygiene of your organisation to have a security-first attitude implemented from the top down.
Ensure your cybersecurity policies are properly enforced
89% of CSOs admit to feeling desensitised toward potential cybersecurity threats – an attitude which is common at every level. Negligent threats occur when people cut corners, when they assume they will be the lucky person who manages to sidestep very common risks.
There is no benefit to laying out specific cybersecurity guidelines if you’re not going to ensure they are met by your employees. Measures should be in place to prevent lax attitudes causing breaches. This could mean implementing a way of tracking compliance with your internal policies or finding some more creative way of encouraging staff to engage with cybersecurity.
Limit staff access to the information they do not need
Only give staff access to the data that they need to do their job. This means, if they ever do get compromised, the amount of information criminals can steal is limited. It also makes it easier to identify the source of a breach if, for instance, only the data contained within a specific department has been leaked.
Another element of properly restricted data access is completely shutting down staff accounts when an employee leaves. Inactive accounts that haven’t been properly closed can allow unauthorised actors to access your data and systems. It’s easy to forget inactive accounts even exist and if they’re not protected they can be a huge a vulnerability.
Treat staff your well
This is something you should really be doing anyway, because it’s the decent thing to do. But making your business somewhere that people like to work can go a long way towards preventing malicious insider threats. People are less likely to be manipulated into handing over access to your sensitive data if they feel like you appreciate them.
Have an incident response plan in place
Even if you do everything right, sometimes accidents do still happen. Knowing what to do in the event of a breach – how to contain and mitigate risk, to accurately inform your staff and customers, and to recover as much data as possible – is imperative. Having a plan of action to guide you through a breach will get you back to business far more efficiently.
This applies to internal threats as much as any other risk. You might want to establish disciplinary measures that correspond to negligent actions or have a review system in place that includes providing training to prevent cybersecurity mistakes in future.
Find out how ThreatAware can help manage your compliance and cybersecurity processes by signing up for a free trial.