Most Security Officers, Office Managers, Partners and everyone in between believe the threats facing their information security start outside the office walls. The truth is something else altogether.
While cyber threats are essentially a combination of people, software, hardware and even natural disasters that can put your information at risk – the one you should focus on first is your very own employees.
This is not to imply that your employees are looking to steal from you. The vast majority are happy and have no intention of causing any sort of harm to their employer. But employee accidents are a far larger threat to your data security than a black hat hacker from China or a nefarious intended competitor.
But employees, or insiders, are how most data breaches start.
Insiders are, quite simply, the people who sit next to you at work. They are the employees you let go, the ones still on the payroll and even the people you simply authorize to let touch your computer systems. They often have direct access to your most valuable and confidential information.
It has been shown that 60% of security events are caused by an inside attack. Of that, 20% are intentional and 80% are unintentional (Intellinx.com). They don’t mean to, it’s just that the nature of their job gives them direct access to highly sensitive data. 61% of users who have access to a company network use the same login credentials on other non-company sites such as Facebook, Twitter, and LinkedIn (csid.com). Since many targeted breaches begin with a phishing effort to grab user’s social media passwords – many are inadvertently putting confidential company login information right out for anyone to see. Additionally, many companies do not track when users access company information. If one of your co-workers or employees accessed company records last night at 2am, would you know? If someone logs into your network from two different locations at one time – would your network react?
Part time employees come with all the same problems as full times employees only they know they are temporary. The risk is greater when there is no fostered loyalty. Sure you might have them sign the non-disclosure agreements, but if you are not keeping logs of everything going on, even the most trusted part-time employees might be very costly. They often have all the same access as full time employees without the responsibility. These resources are often easy phishing targets.
Former employees sometimes get hostile after downsizing occurs. They might feel wronged and feel entitled to compensation. Employees who know they are leaving are also a substantial risk. What information did they take before they gave notice? Also, what about the access that former employees often retain even after they’ve left the firm? Firms without quick and decisive employee exit strategies or clear restrictions for remote access can find that the path to data loss is much shorter than expected.
As you begin to look at your approach for managing security, most firms would be best served to start inside their walls with proper training for employees. Employees need to understand what the rules are (your Written Information Security Plan – WISP), their role in maintaining security and responsibilities should they see or hear anything suspicious. Do your employees know to avoid public Wi-Fi when performing client work? Do they know not to click on ANY LINK if they do not 100% know who it’s from? Do they know never to use work email addresses for social media logins? Its policies like these and the training that goes with it that can save your firm the cost and embarrassment of a true data breach.
Most Cyber Security Consultants will tell you that security is a process that requires continual improvements in technology, process and people. We advise to turn that around and make people and education one your first responsibilities. Getting them on your side and keeping them there will go a LONG way in keeping your company safe from the rest of the threats that exist out there.
For more information on what those other threats are, download the Law Firm Cyber Security Threat Matrix.