The security of your data is important. If customer or employee information kept on your systems is lost – or worse, stolen – then the consequences are likely to be a loss of profit, with damage to your brand image and departing customers (or disgruntled staff). However, given the fact that some of that personal data may well fall under legislative protection, you may even be financially penalized by the government and/or regulatory bodies.
Traditionally, IT security threats took the form of hackers and viruses and the tried and tested modes of protection were firewalls and antivirus software. Those were in the days when most threats were external but now the business IT landscape has changed.
A recent Forrester report found that 70% of security breaches were down to internal threats:
lost or stolen devices: 31%
employee error or accidental misuse: 27%
malicious insiders: 12%
The big shift that has opened up these internal vulnerabilities is BYOD or bring your own device: the rising trend for allowing or encouraging employees to use their own smartphones, tablets, and laptops in the workplace. Couple this with the demand for mobile access to business data so that jobs can be done flexibly and on the move and Forrester’s 70% begins to look like an underestimate. Some of the main internal security threats are as follows:
While we like to think of our teams being ‘happy families’ there is always the possibility that someone is feeling less than friendly toward their employer. Depending on their access to the company systems, they may be able to damage or delete data or even pass on customer details to your competitors. Prevention lies in fair employment practises (i.e. give as few reasons for unhappiness as possible), proper sign-on protocols (so that misconduct is at least traceable), and swift removal of ex-employees’ access from the system.
People are human and despite awareness of IT security measures sometimes they make mistakes. It might be leaving a laptop in a coffee shop or forgetting to log out of a terminal before heading home for the evening. It’s not malicious but the consequences – loss of data – can be the same. In the case of the lost device, a good BYOD strategy will include management middleware that can track and trace what data is where and – once notified of the loss- take steps to automatically delete or lock that data.
In these times of increased outsourcing, it’s not only likely that you will have temporary, contingency or self-employed staff on the premises and depending on their function you may be issuing them with login details to access your IT systems. Naturally, everything said above about employees stands here too, but there’s also the need to manage system access closely, including deleting login details once the individual’s contract/term/project is completed.
The difficulty with outsourcing functions like HR or CRM to be managed by cloud-based providers on your behalf is that the data is never on your premises in the first place. This doesn’t have to constitute a security threat but it does behoove you to check carefully their security and disaster recovery contingency plans at the data center.
Much of the above may come down to human error and in that sense anyone with access to your data is a potential security threat – not because they cannot be trusted but simply because they have the keys to the door and mistakes are easy to make. The answer is twofold: 1) only give access to personal and sensitive data to those who must have it for their role, and 2) educate your people (and yourself) in what constitutes a security risk and what the consequences of a breach might be.