Employees accessing company data with a multitude of devices present the largest security threat for organizations today, according to a new report from BetterCloud, an independent software vendor based in New York, NY.
In a recent article, Techrepublic.com reports, “The biggest security threat to your business likely isn't a cybercriminal or hacktivist, but someone already in your organization, according to a Wednesday report from BetterCloud. The vast majority (91%) of the 500 IT and security professionals surveyed said they feel vulnerable to insider threats, whether their acts are malicious or accidental.”
This latest BetterCloud.com report points to the increase in software-as-a-service (SaaS) applications as contributing to this vulnerability because it creates “a massive information sprawl.” The risks are increased by the multiple endpoints employees use to access data which creates many potential points of “ingress for attackers” to the network.
For the 500 professionals surveyed in the report, negligence, not malice, is the biggest concern regarding security risks:
62% of professionals said they believe the largest insider security threat comes from well-meaning but negligent employees;
21% said they believed the threat came from those who intentionally cause harm; and
17% from employees who are exploited by outsiders through compromised credentials.
So how can your organization mitigate the risk from well-meaning employees? Below are a few of the most crucial steps you can take when it comes to employee data protection.
Limit local administrator rights
IT best practices dictate that, for their own data protection, employees not be given local administrator rights (LAR). LAR is the highest level of permission that is granted to a computer user; this level of permission normally allows the user to install software and change configuration settings. It gives someone the ability to shut off the security controls used to protect an organization’s systems, including password controls and anti-malware software. Unapproved software could also be installed, breaking critical applications and causing disruption and downtime. A company can also be exposed to malware, including a number of different phishing scams that can deliberately run code on systems with full permissions if someone inadvertently clicks on a malicious link or opens infected email content. Auditors also frown upon the practice because of its inherent risk.
Install Microsoft Advanced Threat Protection (ATP)
Microsoft Office 365 Advanced Threat Protection (ATP) is a cloud-based email filtering service that helps protect your organization against unknown malware and viruses, as well as spoofing and phishing attempts. It also includes features to safeguard your organization from harmful links and attachments in real time, and can trace URLs to provide insight into the kind of attacks happening in your organization.
Require that employees create passwords or passphrases that are at least 8 characters long and contain upper and lowercase letters, punctuation, and a number. A different password should be generated for each online account and passwords should be changed every 3 months. Always use two-factor authentication when available.
Frequent Employee Training
In the past, companies could train employees once a year on best practices for security. This is no longer enough for employee data protection, said Wesley Simpson, COO of (ISC)2 in the report, IT leader’s guide to reducing insider security threats.
Reviewing data security policies and best practices as part of on-boarding new employees should be standard. It is recommended that organizations allot dedicated time during staff meetings to review and reinforce security protocols, garner feedback, and answer employee questions.
Whether a small business or nonprofit, creating a culture of data security will come from the top down. Messages and actions should reinforce that everyone in the company is responsible for protecting valuable data and there should be a protocol for reporting unsafe activity and/or emails without repercussion.
"Your people are your assets, and you need to invest in them continually," Simpson said. "If you don't get your people patched continually, you're always going to have vulnerabilities."