23 Feb The Keys to the Castle

When it comes to security, the more layers you have, and the better each layer is, the more successful you’ll be in deterring most thieves. However, no matter how good the security is on your home or car, if a thief really wants something, then he or she is going to do whatever it takes to get it.

But what if the thief is someone who is already trusted? For those who have teenage children, do you leave money on top of your dresser, keep the liquor cabinet unlocked, or provide easy access to the car keys? You might think, “my child would never break the rules because of the consequences.” And then, you get into a fight, or take away privileges, and all that goes out the window when the teenager, in a fit of rage and emotion, does the unthinkable. It’s the same with corporate cyber security.

The IT department in most companies has the “keys to the castle” and each IT employee needs to be trusted more than most because of the damage they can do. In an article titled “Is Your Company Protected From Insider Cyber Threats?” on the website of Workforce Magazine, it notes that, when it comes to data breaches, employees are often a company’s weakest link. Three types of employees are listed as the greatest threats to cyber security – negligent, disgruntled, and malicious.

A negligent employee can be anyone in any department who is ignorant or not trained in practicing good cyber security. A disgruntled employee can also be anyone, but is angry toward the company and is either apathetic about whether cyber damage occurs, or worse, actively attempts to cause damage. Finally, there’s the malicious employee. This is, by far, the most dangerous because their sole purpose is to steal.

Whether an employee is recruited by an outside force to steal from the company where he or she works, or an employee intentionally gets a job with a company so that they can steal from them, makes no difference. The danger is that they do steal and it may not just be data. It could be equipment, prototypes, or anything the company would like to keep secret.

There are a few things companies can do to help prevent insider threats, but these measures can be expensive and possibly too costly for small businesses. High-risk employees should be monitored. High-risk examples would be senior-level executives, IT employees with access to everything, low-level employees who have been previously warned about cyber security negligence, and any employee who HR believes might become disgruntled. Another deterrent to theft is a thorough inventory of all hardware. The easy items are laptops and mobile devices, but don’t forget about USB or “thumb” drives and external hard drives. Finally, make sure you have a process in place to protect whistleblowers. The phrase, “if you see something, say something” doesn’t just apply to terrorism.

There will always be cyberattacks and data breaches. The question is how well a company is prepared in advance to stem these attacks and mitigate the damage if it happens.