Usually when you think about an enterprise data breach, the first thing you picture is an outside intruder. It might be some kid in a dark basement hacking into your servers, or maybe a more sophisticated attack from a cyberspy contingent overseas. However, one of the greatest threats to your enterprise data security stance might be sitting in a cubicle at your office.
While hackers are growing more and more sophisticated, much of the threat to your organization actually comes from inside. That isn’t to say that any of your employees has malicious intent — though it’s possible — but they may be poorly trained, or your enterprise data security policies may be poorly enforced.
Up to 28% of Enterprise Data Security Incidents Come from Inside
According to PWC’s 2014 US State of Cybercrime Survey, more than one in four enterprise data security incidents come from inside. In addition, 32% of companies surveyed said that insider events were “more costly or damaging” than similar attacks coming from the outside. The good news is that most of those incidents are entirely preventable, as long as you have the right policies in place. But in order to toughen up your security stance and protect yourself from the enemy within, it’s important to know how your employees may be compromising your digital security.
When it comes to insider threats, keep two common quotes in mind: Sun Tzu’s “Know thy enemy,” and Walt Kelly’s “We have seen the enemy and he is us.” Let’s take a look at six ways employees can threaten your enterprise data security.
Let’s get the most depressing part out of the way: attacks coming from inside an enterprise accounted for $40 billion in damages in 2013. And unfortunately, while they’re rarer than other threats to your organization, malicious insider attacks are harder to detect and more costly than attacks coming in from outside hackers.
No business owner or manager likes to think that the very people on their team, or their trusted business partners, have it out for them, but as AT&T proved last year, sometimes a few bad apples can get past HR.
2014 was a rough year for enterprise data security, if the high profile breaches of Sony, JPMorgan and Home Depot told us anything. It was especially rough for AT&T, who suffered not one but two separate malicious insider attacks, resulting in the exposure of customers’ social security numbers, driver’s license numbers and birth dates, as well as hefty fines for the mobile giant.
Any data breach can threaten your company’s reputation, let alone one coming from inside. So what could AT&T have done to keep their customers safe?
With any sort of attack, it helps to get in the mind of your attacker. If you were a disgruntled employee looking for a chance to take down your employer, when would you do it? Probably not while you’re still on the payroll and using a company computer, right?
Most malicious insider attacks happen 30 days before and following an employee’s last day. After all, no matter how much you might hate your boss, or want to get your hands on your employer’s most valuable intellectual property, you don’t bite the hand that feeds. Once you’re counting down to your final paycheck, though, all systems are go. And if you still have your email or VPN login — and they still work — after you’ve packed up your desk, that’s an even better opportunity. You can hack into your ex-employee’s servers or email in the comfort of your own home.
We’re not telling you to be cynical, of course. Thinking of each of your employees as a potential mole is a surefire way to murder morale, and if one of your employees compromises your enterprise data security, it’s more likely because they downloaded a virus from an email, not because they’re holding some grudge against you. In fact, showing an abject lack of trust in your employees might make them more likely to attack, if they feel like they’re not getting their due respect.
What you can do is use your common sense. Remove your employee’s access to your email servers, VPN and other company resources as soon as they leave, and not a minute after — after all, it’s best practice in general to limit access only to those who need the data, when they need it, and former employees certainly don’t need that access anymore.
Another important policy to implement is to block access to USB ports. If your company workstations have USB access, you can use liquid cement to make them unusable to a rogue employee with a thumb drive. This doesn’t just prevent intentional data theft, but unintentional leaks by employees who aren’t as knowledgeable about proper enterprise data security precautions (granted, you should make up for these knowledge gaps with ample training.)
And if employees send any red flags, make note of them. According to the PWC State of Cybercrime report, employees who committed cybercrimes often displayed telling behavior beforehand, such as violating IT security policies and being disruptive.
Passwords are one of the oldest authentication protocols still in use, literally dating back to the invention of spoken language. While it might be tempting to turn to the adage, “If it ain’t broke, don’t fix it,” the fact is that passwords, at least the way most people use them, are seriously broken. It only takes ten minutes to crack a six-character password that’s all lowercase letters. If you capitalize some of those letters, it will take 10 hours. If you replace letters with numbers and symbols, you’re looking at 18 days of safety before someone gets a hold of your password (Bloomberg Business).
All it takes is one employee with a password like “123456” or “baseball” to give a hacker easy access to your company’s most sensitive (and valuable) data. Now consider how many employees are at your company. Now consider how many passwords each of those employees is responsible for. It’s a sure equation for an enterprise data security disaster, unless you create and enforce a strong password policy.
Without a strong and well-enforced password policy, your enterprise data security is at risk. Make sure that your employees are prompted to change their passwords every three months at the very least, and that the passwords have the following requirements:
○ They should contain at least nine characters. Even a weak nine-character password will take four months to crack.
○ They should contain a combination of letters, numbers and symbols.
○ They should contain a combination of uppercase and lowercase letters.
○ The new password must not match any of the employee’s previous passwords.
Of course, it’s inconvenient to have to change and memorize a long, complex password, but there are a few tricks to do it. One is to memorize a sentence only you would identify (for example, “My best friend eats a ton of fried pickles”), and then turn it into an acronym, like so: “MbfeatofP.” You can add your best friend’s birth date (or the number of pickles they eat) at the end, with a symbol.
Another method is the Correct Horse Battery Staple method. Conceived of by Randall Munroe of XKCD, the Correct Horse Battery Staple method of creating a password involves coming up with a silly, nonsensical but memorizable sentence, then using that entire sentence as a password.
Educating your employees about password strength and password memorization techniques, in addition to creating and enforcing strong password policies, will be a big step forward in improving your enterprise data security posture and protecting your company from the inside out.
Again, each employee should only have access to the systems and data they need to access, when they need to access them — and that access needs to be revoked as soon as the employee no longer needs it.
Let’s say you have a folder on a server full of confidential documents. They might contain sensitive customer data, like phone numbers and birth dates, or they might contain plans for a secret project.
Now let’s say that one of your employees, still figuring out their way around your file management system, opens up that folder and accesses one of those documents. Now they have a cached copy on their personal workstation, which gives a hacker another vector by which to access the sensitive data. Worse, they may accidentally attach the document to an email, delete the document from its original location on your company server or otherwise compromise the data — all completely unwittingly.
Not to mention, weak access policies give those employees who are tempted to steal your data an easy way to do it.
Make sure your sys admin creates and enforces a strict access policy, and make folders inaccessible by default until the employee requests permission from the sys admin. Again, this may not be the most convenient solution for your employees, but it’s worth the modicum of added hassle to avoid an enterprise data security breach.
Each of your employees is in charge of their own workstation, and what they download could be a security threat to your whole organization. This could be anything from what they assume is a helpful productivity app or extension from a website, a trojan-laden torrent from a pirating website or a risky click from an email spammer.
No matter how your employee gets it, though, you’re lucky if the damage is isolated to that person’s work computer. More likely, it will spread through your network, and if you don’t have the proper network isolation, it can spread to the servers containing your most precious data. From there, nogoodniks can leach data from your employee’s desktop, email and any other machines the virus now calls home.
There are a few automated things you can do daily, like run a virus scanner and data backup every time your employees leave work at the end of the day — in fact, daily backups should be part of your disaster recovery plan to begin with. This will help mitigate the damage and data loss that can result from a virus on an individual machine.
You should block network access to some of the usual suspects, like torrent sites, and discourage your employees from downloading programs on their own without the express permission from someone in IT.
An important aspect of virus prevention is simply employee education. Even in the year 2015, spam manages to get through our email filters, and clicking on a link in an email can lead to a virus that compromises not only your employee’s workstation, but your entire network. Educate your employees not to click on links in emails, but to copy and paste the link into a browser. While this is a reflexive habit for many employees, creating a company culture that centers on enterprise data security can help create better habits in your workforce.
Phishers and social engineers can exploit your employees for all sorts of internal data, including passwords, as well as gain access to your facilities. How? Phishers imitate legitimate companies your employees might interact with, like your enterprise software vendors or email provider, and simply ask for the data via phone or email. A social engineer might dress up like a maintenance person, slip past your front desk and plug a thumb drive into an empty workstation.
No matter how they gain access, phishers and social engineers are wolves in sheep’s clothing, out for your data. If your employees don’t know how to recognize them, their weak defenses let your company’s guard down.
When it comes to preventing phishing, knowledge isn’t half the battle — it’s really your only defense. Make sure that your enterprise data security training for all employees includes information on how to prevent phishing and social engineering attacks, and the red flags to look out for in email and phone calls.
If you have a company Help Desk, make sure that your employees route all of their password issues through your IT force, as opposed to directly through the vendor for that particular program. That way, your employees won’t be tempted to give their login credentials to impostors over the phone or email.
It’s also important to establish protocols for allowing visitors, vendors, clients, interviewees, maintenance staff and other guests in and out of your facilities. Make sure each guest is checked in, expected and verified, and keep your receptionist or office manager updated on who to allow in, when and where.
A lack of strong data and email encryption can also make your data and systems more vulnerable to a security breach. In fact, using encryption can help to prevent some of the types of security breaches mentioned above.
Hashing and salting a password can help protect it against hacking, and using email encryption can help protect sensitive data contained in email even if a bad guy gets one of your employee’s passwords. Encryption provides an extra layer of security for your data, making it unreadable to anyone to whom you haven’t explicitly shared the encryption key. By using encryption to protect not only the data you host on premises and in the cloud, but also your company email solution, you can bolster your enterprise data security posture and protect your business from a nasty breach.
Remember: you hired your employees to help build the business, not to make it weaker with poor security practices. But with the right policies and tools, you can protect your organization not only from hackers and cybercriminals far from your business, but also from the folks right in your office. And one of the most important ways to do that is to use a enterprise-grade email encryption solution.
Virtru provides strong email encryption without the hassle of more complicated solutions, like PGP and S/MIME. All you have to do is download a plug-in and hit a switch to protect your enterprise data security and email privacy. If you’re on the hook for HIPAA, FERPA or CJIS compliance, Virtru can also help protect your business against compliance violations (and hefty fines).
Contact us to learn more about our partnership opportunities.