The Threat Within - Part 2: The Importance of Employee Education

Your biggest security vulnerability may be coming from within your organization – from simple gaffes to angry employees with rights to access your business’ information. The Harvard Business Review reports that as many as 60% of data breaches and cybersecurity incidents come from inside an organization.

For organizations that collect protected personal information and sensitive case information, the risks of lost data are significant. The costs can be steep, from the potential regulatory costs of leaked data to brand damage. Many businesses put their data at risk when they try to save money by neglecting to properly train employees, invest in enough security measures and put fail-safes in place.

Here’s a closer look at why, dollar for dollar, security investments are an essential part of protecting your bottom line – and your focus should often start with protecting against employee error.

How Your Organization’s Priorities Put Security at Risk

When your company is determining where to spend IT and training budgets, security training is often overlooked. Since there is such a range of internal security risks, investing in training to prevent employee-driven security breaches should be a top concern. When assessing this budget, you should ask the following questions:

  • Have you experienced an internal security breach in the last five years?
  • If you’ve experienced employee-related security threats, how many were due to avoidable errors?
  • Were any breaches malicious?

If you answered “yes” to any of the above, the following questions come next:

  • Did you audit your security as part of your recovery process? What updates did you make to further ensure your data security?
  • What level of security training do you provide employees when they join your team?
  • Do you provide ongoing training on a regular basis?
  • Have your executives received specialized training? Are managers incentivized to talk about cybersecurity with their teams?
  • What percentage of your training budget focuses on security training and staying on top of security trends?

Understanding the Types of Insider Threats

Employees can put your information at risk in a number of ways. As you develop a training program and response strategy, it’s important to think through the implications of these different risks and how to appropriately respond.

Non-malicious breaches: Humans make mistakes, and it’s often a non-malicious error that can cause a data breach. For example, an employee might inadvertently attach the wrong file to an email or access encrypted case information on a home network. While the intent isn’t necessarily negative, the consequences for your organization can be.

Lost devices: Do your employees respond to emails or look at files on mobile devices? It just takes a split second to have a tablet stolen or to inadvertently leave a mobile phone behind in a taxi. While end-point management devices allow you to remotely wipe data from a stolen or lost mobile device, the time between losing the device and implementing the corrective steps puts your information at risk.

Leaked passwords: Does your team follow bad password practices (I’m looking at you, “Password1”) or inadvertently share passwords that can later be used by a criminal to hack your system? Even worse, a malicious employee could leak or sell a password, exposing your business to vulnerabilities.

Falling victim to social engineering: Social engineering is an emerging form of hacking, where criminals use information that’s publically available. They then use that information to impersonate someone in your organization, and it can have devastating consequences. For example, a hacker might send an email that looks like it’s from the CFO and demand an immediate transfer of funds. If your employee isn’t trained to know to verify the transaction, the result can lead to significant financial consequences.

Erasing data: If an employee is under investigation for an issue or has made a mistake that will come back to haunt your firm, they can easily erase the data associated with the mistake. For example, if they’ve sent an email with a confidential file, they might simply delete it and hope it’s not caught. In this case, you won’t have any evidence to be on the lookout for a potential breach.

Shadow IT: Shadow IT refers to applications, systems, and solutions, which aren’t approved by the IT department, that your employees may be using to help with their jobs. Often, these tools connect to your larger IT system and can open up your data and network to security breaches. If IT departments aren’t monitoring all devices and networks for SaaS activity, they could be overlooking a key source of security vulnerability.

Investing Where It Counts

Protecting your business against internal hacks requires both strategic planning and investment. However, by thinking ahead, it is possible to reduce or even eliminate these risks over time. Here are different areas to consider when it comes to your employees:

Establish a company best-practices policy: What is your company’s security policy? Organizations need to assess their risks and threats, and establish policies that help protect against breaches. For example, does your company have a policy that allows for the immediate termination of any employee who is caught causing a malicious data breach? Do you have policies in place that guide employees on any limitations of where and when they can access confidential files, such as on an unsecured home network or via their mobile device? Create and document a strong cybersecurity policy – and invest the time to fully train your team for compliance. Some firms are treating this so seriously that compliance with their company’s security policies are part of overall compensation and employees’ annual goals.

Invest in continuous training: Invest in continuous security training for your employees. Every new employee should go through security training as part of the onboarding process. If your business has been lax in cybersecurity training, consider establishing a baseline-training plan for the entire organization. Training on an ongoing basis is vital to refreshing your team’s understanding of policies and keeping them up to date on emerging scams and threats.

Run security drills: After investing in significant security training, it is important to stress test and make sure employees are both absorbing the information and taking it seriously. Companies are increasingly running security drills to ensure employees follow established protocols. For example, if a paralegal in your firm received a request for confidential information from someone outside the authorized case team, how would they react? Running periodic security drills can help you identify risks and provide coaching to employees so they are ready, when and if a real breach occurs.

For businesses investing in technical training, it’s important to determine who will provide the training. If you have a knowledgeable IT leader in house, they may be able to conduct the training. However, many companies are choosing to partner with firms such as InteProIQ, which provide cybersecurity awareness training. Working with an outside company provides the opportunity to develop a custom curriculum for your needs and ensure you’re focused on the latest issues.

One of the today’s most critical cybersecurity risks lies within your own organization. Taking the time to understand the different types of employee-related security risks and how best to prevent them is a critical step toward building a long-term, secure foundation for your company.