With all the hacking virus threats we see in the news feeds today, internal threats seem to have fallen off the list of priorities for many business owners. If you watch industry development trends and recent studies on insider threats, many companies are unaware of, or underestimate corporate data leaks – the most dangerous threat to IT security today. Internal threats may come in many forms, from a careless internet use to a disgruntle employee gone rogue. Understanding where and how vulnerabilities present themselves can help your business be more vigilant when it comes to data security and network integrity.
Companies are vulnerable to internal threat
- 57% of companies view employees as the most likely source of a breach.
- On average 67% of security incidents at financial firms and at product/manufacturing companies involved a current or former staff member.
- 30% of breaches by employees were targeting data to start their own competing company
- 65% of breaches by employees were done to help secure employment with a competitor.
- 41% of security incidents at financial firms were attributed to third parties with trusted access
Security deficiencies are a major contributor to vulnerabilities
- 33% companies do not have a written information security policy (WISP),
- 33% know if third-party data access contracts / policies are in place.
- 33% of organizations do not have a password policy or standard.
- 59% of organizations have a user (privileged) access policy.
- 46% of organizations have an incidents response policy.
- 34% of companies do not have a crisis response plan for a data breach or cyber-attack event.
- 49% of companies do not perform periodic “fire drills” to test IT Security event response plans.
- 54% of US healthcare provider Information Technology (IT) & Information Security(IS) professionals have tested their data breach response plan.
- 77% of Information Security professionals have not updated agreements with third parties for protection against Advanced Persistent Threats (APTs).
There is much improvement to be done to prevent or minimize internal threat
- Only 20% of IT security professionals are confident their organizations have made adequate investments in educating users on how to avoid phishing attacks.
- Less than 40% of companies conduct full-network active vulnerability scans more than every quarter.
- Only 23% feel confident their companies have made proper investments to adequately monitor the activities of privileged users.
For more IT stats and sources refer to 84 Fascinating & Scary IT Security Statistics by David Shephard.
How to minimize common malicious internal IT treat
It is possible to improve the availability of your business computer network for all users an provide better security and data usage confidentiality. No measure is 100% bulletproof, but the measures outlined below can lessen the threats and problems associated with end users.
- Separate duties
- Adhere to employee exit procedures
- Perform background checks
- Screen outbound email
- Screen internet activity
- Implement tripwire programs
Not all internal threat is malicious
As we have seen from statistics above, some security risks come from knowingly abusing user privileges, accessing and misusing data. However, it is important to remember that even the best of us an our employees can present a security threat simply by not realizing we are doing something wrong, such as accidentally deleting strategic files, or connecting a corrupted device to the computer network. A set of rules needs to be set i n place on just to minimize malicious, but also to prevent unintentional breaches or data loss.
What to consider in order to minimize common non-malicious internal IT threats:
Many companies and industries must rely on data input when it comes to database-driven software. Some custom applications may be more vulnerable to incidents that may be caused by typos or erroneous data entry than big-box brand name software.
In order to provide sufficient protection for the data on a secure network while legally protecting the company, several steps must be taken.
- Ensuring quality programming
- End-user education, including proper user guides
- Limiting user input capability through limiting the forms to restricted inputs.
- Narrowing data types, defined in the code.
End-user and Desktop Security
- User rights definition and assignment
- User access restrictions
- User education
- Acceptable use policy
- Strict access rights
- Encryption and segregation of sensitive data
- Proper security restriction, including periodic verification of restricted access
- Audit log
- Local hard drives
- Centralized storage
- Drive storage limits
- Offline Storage
- Cloud Storage
- End-user education
- Acceptable use policy
- Internet activity monitoring
- Limitation of surfing capabilities
- Close Ports
- Up-to-date, adequate antivirus protection
- Regular scanning for unauthorized files
- Hard Drive checkup and cleanup
Physical location security
- Location restrictions
- Wire Management
- Configuration Management
In conclusion, while the mainstream and social media is overflowing with reports of hackers exploiting various weaknesses and gaining access to networks in order to exploit data, most IT professionals prioritize securing their computer network against outside threats. At the same time many business owners underestimate the need for securing network resources against the internal, legitimate users, people in the direct position to do compromise a network, intentionally or not.
Do you need a professional Data Backup and Disaster Recovery Services?
Call us 201-493-1414 or Request a Consultation today. Let’s start a conversation to make sure business continuity is protected and your data is safe and secure.
Intelligent Business Continuity services from powersolution.com, a New Jersey local computer service company can reduce the total costs of your IT problems and the resulting downtime. Our IT company experts and engineers can provide remote tech support and on-site computer service visits. We also offer Data Backup and Disaster Recovery services to businesses in New Jersey and local areas.