We talk a lot about external threats. In our minds we see them; in a dark warehouse, the air filled with blue smoke from their cigarettes, thick foreign accents punctuate the frenzied clicking of keyboards as streams of highly secret data are lifted from your business. Now we flash stateside, an office building, inside there is panic as computers crash and network lights flash frantically calling for help as the President of the company collapses to the floor sobbing into his hands. Okay so maybe it’s not quite that dramatic, but we all know that fear – it’s why we spend millions of dollars each year on anti-virus, anti-malware, firewalls and security audits.. to keep THEM out of OUR networks, and to keep OUR data secure.
But what about the people you let in the door everyday? Your employees. A recent study suggests that here in the states 22% of US workers would be fine doing something with your customers’ data. 10% would give it away to non-employees. 9% would take data with them when they left and 5% said they would be happy selling your proprietary data. While those numbers seem small, lets look at it this way – In a company with 20 employees; 4 of your employees are breaking your customers’ trust, 2 are e-mailing your mailing list to your competitors, 2 are stealing your backups, and one is actively selling your research on the black market. That’s 8 of 20 people, nearly half of your employees!
So now what? First off, limit access. If an employee doesn’t need access to certain data to perform their job function – they don’t get it. Establish a company usage policy and stick to it. This includes the obvious things like protecting your financial server and file shares but also those often forgotten things like backup tapes, and password policies.
Most of these types of thefts are opportunistic, they occur because your employee has time alone with the data and so bad thoughts seem to be good thoughts and they act. For an analogy it’s nearly like running a stop sign in the middle of the night in the middle of nowhere… no cop, no stop – right? So limit the time your employees work alone with sensitive data. Have a check and balance system and multiple employees work with your backup tapes, have a management sign off process for file share access, develop a review system and set firm end dates for data access.
Lock down policies on storage devices. Don’t allow personal USB sticks to be used in your enterprise. If your employees need files while working remotely issue company owned USB sticks or portable disc drives each time they leave for the road. Make sure they turn the sticks back in when they return (Don’t forget to virus scan them before you review the access logs!). Make sure you encrypt the USB sticks or portable drives and secure the certificate and passwords used to protect them.
Lastly, use your employees as extra eyes and ears. Instill in everyone, from the Board of Directors to the night Janitor, the importance of protecting the company’s data and develop a reporting system for suspicious behavior or misuse of data. You can set up an anonymous system with a web form on an internal web site fairly easily if you want the technical route – or a box on the wall near the time clock for suggestions and reporting if you prefer the simple route.
Bottom line, secure your data from the inside as well as the outside.
~Geof “looking for highest bidder” Franklin