Most employees are honest, trustworthy people that would not steal from their employer or intentionally take sensitive, private information from their job and sell it. But many well-meaning employees are taken advantage of by attackers to steal data, and it can cost their employer (and customers) millions.
Unintentional insider threats can cost a U.S. company as much as $1.5 million, according to a report from the Ponemon Institute. The Verizon 2015 Data Breach Investigations Report noted that most of the thousands of data breaches and security incidents studied involved stolen user credentials.
This predicament is understandable – most employees don’t fully understand the importance of the role they play in ensuring the security of their organization – but there are simple measures everyone can take to ensure they don’t become the open door into the network. Here are five tips on how not to become an insider threat:
Be mindful of devices with company data on them
It’s a new world out there, and most of us have some sort of company data on portable devices. Whether you get work-related emails on your smartphone, use company laptops out of the office, access cloud-based IT solutions or just log into company systems remotely, be careful not to let this information fall into the wrong hands.
Try not to store unnecessary sensitive data on your mobile devices, and be wary of what external networks you connect to. Malware can be used to steal login credentials or compromise the corporate network if you return to the office with the infected device.
Lastly, don’t forget devices can be stolen or lost. Keep track of your devices, promptly report any device containing company data to your IT group, use a password and secure them, which leads to the next tip.
Encrypt data at rest
Most people only think about encryption when they are transferring data to a third party, but data that is sitting unused in storage is also at risk. From the perspective of an employee, this most often takes place when sensitive items are stored on mobile devices, personal computers or data storage devices such as external hard drives and thumb drives.
Encryption ensures that even if data falls into someone else’s hands, they won’t be able to access it. Most phones and mobile devices have the ability to encrypt data stored on them. Here is some information on encrypting iOS and Android devices.
Encrypting external hard drives and thumb drives is a little more difficult. Though there are several third-party applications to encrypt storage drives, if you are running Windows Vista or later, Microsoft BitLocker is a good solution. For more information on BitLocker and installation instructions, click here.
Of course, the effectiveness of encryption is highly dependent upon the strength of the key and the key management processes…
Use good password practices
You wouldn’t put your valuables in a safe but leave the door open, would you? Likewise, you wouldn’t use the same key for your car, safe, safety deposit box, etc. Your sensitive data is only as safe as the password you use to protect it.
You should use passwords that are at least 10 characters long, though the longer the better, with complexity: it should contain a mixture of uppercase, lowercase and special characters as well as numerals. Change your password often, and use a unique password for every site, system and application. If you use only one password for everything and a website you use suffers a data breach that includes user passwords, all of your accounts are as good as compromised.
Of course, it is difficult to memorize and manage so many unique passwords, but there is a solution. You can use secure password managers to generate unique passwords and keep track of them, requiring you to only remember the one password used to secure the manager. You can also employ two-factor authentication for your most sensitive accounts (your password vault, for example), which will require you to input a unique ID that is sent to your phone every time you log in, drastically reducing the likelihood of compromise.
For more information on using secure password managers and two-factor authentication, click here.
Beware of social engineering
“Social engineering” is just a fancy way of saying an attacker utilizes tactics from traditional scams in conjunction with a cyber-attack, and it is a common practice. Social Engineering attacks the human component of the security system. The most common example of this today is phishing, in which an attacker crafts an email that appears legitimate but aims to trick the recipient into divulging sensitive details such as passwords or installing malware on their machine. A more targeted approach is called “spear phishing” wherein the attacker creates an email targeting a specific person, perhaps even you.
Very few of us are truly “off the grid”; we all have information available about us online. In a matter of minutes, an attacker can find out what you do and discover your workplace responsibilities. They can then use that information against you. For instance, an attacker may identify a company’s CEO or other C-level executive and then send a fraudulent email that appears to be from that CEO to you, a company finance manager. The attacker claims they need an urgent wire transfer to close a deal or secure a service. The wire information will likely contain a legitimate vendor but a fake SWIFT code that routes the money to the criminal. Most people don’t question emails that appear to come from a company executive, or another associate, but that mistake could cost your company thousands or even millions.
Social engineering doesn’t have to be digital. Some of the largest breaches over the past few years involved an attacker using the telephone to speak with a company employee posing as a member of IT or other organization insider and convincing them to divulge passwords and other access information. Legitimate IT support staff will never ask you to divulge your passwords! Be wary of strange phone calls. If someone seems suspicious, clear it with a company security professional before you give them any information or ask the caller to hang up so you can call them on an official company phone number.
Ensure you don’t have unnecessary access privileges
This may sound like a strange tip, but most employees don’t need access to every resource on their company’s network, and limiting access to sensitive systems to only those who need it can drastically reduce the reach of a potential data breach. This is called the “principle of least privilege.”
Though access privileges are typically managed by IT Security, they do not always know everything different employees need access to, and maintaining proper access control can be difficult. If you discover you have access to data or systems that you don’t require as part of your job, you should notify your organization’s security team. This is especially true if the data or systems contain sensitive information such as customer payment information or personally identifiable information (PII).
While there is no cyber security “silver bullet” to prevent breaches, remaining aware of common security practices can help prevent attackers from using you as a way into your employer’s network. Just like you brush your teeth every morning, these practices are essential to maintaining your “cyber security hygiene.”
Andrew Wild, Chief Information Security Officer, Lancope
This post is part of a series for National Cyber Security Awareness Month, which aims to educate Internet users on how to stay safe online.
[Cloud Security Alliance Blog]