By William G. Perry, Ph.D.
The greatest threats to the security of an organization’s information assets are, by far, from insiders! That fact might be surprising to you. However, managers and those who hire and supervise employees need to be aware.
A Poneman cost of data breach study, conducted in 2016, indicated that more than 64% originated from insiders. That’s incredible.
What’s the story? The employees who are responsible for information security breaches were shown to come in various sizes and shapes. Some are employees who were duped into giving up confidential information and others just make those honest mistakes. Some simply hate their jobs and others are just malicious vandals or thieves.
How much damage can an insider do? An attack, even if it’s innocent, can cause immeasurable harm to an organization’s infrastructure. It can be just as extensive and destructive if caused by the most sophisticated cybercriminals.
What can be done?
First, ask yourself if you have a formal information security plan. You are well on your way to controlling any insider threat if you do. You are in deep trouble if you are without a formal information security plan – mainly because the matter of information security is barely addressed in your company, if any at all.
Hiring and supervising employees who will have access to your mission critical assets is already part of your routine if you have a comprehensive plan for information assurance.
Otherwise you are likely to be without even a list of mission critical assets that have been classified as to their level of importance. You lack a good understanding of what information you need to protect from insider threats.
Listed below are a few suggestions that might help you get a handle on the problem:
1. Create an official, policy-based security plan.
2. Establish ownership for each information asset.
3. Every asset needs to be classified as to its level of criticality.
4. The desired level of information assurance competence for each employee must be specified.
5. Carefully screen each employee for security awareness, validate past employers and ask appropriate questions.
6. Craft strong access control policies for each information asset.
7. Define the duties and responsibilities of each employee in the organization for the security of confidential information.
8. Employees need to sign-off on a form that acknowledges their responsibilities for the confidentiality, integrity and availability of system assets.
9. Establish a continuous security awareness training program for all employees.
10. Treat information assurance as a business process
11. Hold everyone accountable.
12. Apply lessons learned from security breaches
13. Develop and reinforce a “culture of security”.
You are encouraged to learn as much as you possibly can about information assurance. The asymmetric threat environment in which we all live and work makes it a requirement that you can a level of competence in protecting information assets. The alternative is to be weak and vulnerable.
Cyber criminals scan and stalk the Internet for computers weakly protected and porous network infrastructure. It’s your fiduciary responsibility to practice due diligence with the personally identifiable information you are holding and processing – and you are responsible for your employees.
Dr. William G. Perry is the chief security analyst of and owner of Paladin Information Assurance. http://www.paladin-information-assurance.com.