Data Security: insiders and IT recycling pose a threat to corporate data
Mention network security and the first thing that comes to mind is the image of international hackers stealing corporate data and customer information. But according to a recent survey of hundreds of cybersecurity professionals, organizations need to pay just as much attention to the threats that are within their walls as they do to ones from anonymous outsiders.
The survey, which was conducted by Information Security Group and published in CIO Insight, indicated that insider security threats have become a significant and growing concern, and every organization needs to realize that there’s a good chance that they will be victimized by somebody to whom they’ve previously given access. That may mean an employee, a former employee, a consultant or an electronic recycler. If access privileges have been provided, a door has swung open that is difficult to close again – and particularly difficult if you’re trying to close it without help.
Part of the problem is in recognizing where the threat comes from. According to the experts, the most frequent villains are those that are trusted the most: managers and consultants. And the biggest vulnerability lies in companies simply not having taken adequate preventative measures. Understanding what needs to be done requires the assistance of managed service providers who can assess the specific vulnerabilities that are unique to the organization, analyzing where the data is as well as the amount of access that may have been too broadly provided. Security experts will look at everything from the educational level of the average employee to the type of data that is being kept in order to build security controls that are tailored to the organization’s needs.
So what does a data protection program designed to protect against insider threats look like? Though every system is different, a multi-pronged approach is generally applied, looking at who access the system and how it is done in order to program detection services that recognize when things are out of the norm. Network monitoring will be put in place to detect unauthorized access by those who mean to do harm, and protocols will be put into place that immediately block former employees and contractors from having any further access to the network. Access to outdated servers and computers would be limited to certified data destruction vendors prior to giving the equipment to electronic recyclers.
In addition to these preventative measures, attention must be paid to those who have no malicious intent, but who instead fall prey to phishing expeditions that install malware or harmful applications. These frequently come in the form of innocent-looking (or official-looking) emails, but a robust training program that teaches employees both about the dangers of these attacks and how to recognize them can be extremely effective.
Finally, destruction of data that requires protection should never be left to internal staff. This includes payroll information, personnel files, any kind of legal documents, and data pertaining to customers, clients, and vendors. Destruction of all data that is potentially sensitive should be put into the hands of professional data destruction companies.