At one time, external cybersecurity threats were considered the biggest cause for concern within any organization. Then everyone became aware of the dangers posed by malicious insiders. Now, security professionals are recognizing the major implications of negligent insiders - threats caused by employees whose actions have no malicious intent.
In fact, a 2018 Cybersecurity Insiders report revealed that the majority of cybersecurity professionals say they are most concerned about accidental or unintentional insider threats, caused by carelessness, negligence, or compromised credentials. If the professionals are worried about these issues, we should probably take notice and act. To help you get started, we’ve compiled this list of ways you can become more aware of and prevent accidental insider threats.
1. Audit and Monitor Your Team’s Access Privileges
Does your organization have an access problem? The Cybersecurity Insiders report also revealed that 37% of surveyed cybersecurity professionals consider “too many users with excessive access privileges” as the number one enabler of insider attacks. Sharing credentials and granting access without careful consideration opens your network to all sorts of accidental insider threats.
You wouldn’t give your home’s security system to everyone in your neighborhood, and you shouldn’t grant access to every employee on your team. Reduce your risk of exposure by performing an audit on the state of privileged access in your organization, monitor access, and develop stricter policies for granting access.
You can use ActivTrak to easily monitor both Remote Vendor and Privileged User access. Watch this free product training video to learn how.
2. Implement Password Protection Policies
You could get all of your “Access Ducks” in a row and still have a password-related vulnerability. Does your organization have a password policy? 56% of cybersecurity experts say weak or reused passwords are the biggest enabler of accidental insider threats, while 44% consider the main offender to be bad password sharing practices. You should take steps to ensure that employees:
- Use strong passwords. Mental Floss suggests long passwords made up of nonsense phrases that include randomly mixed up symbols and numbers.
- Use different passwords for each account and system.
- Never write down passwords.
- Don’t share passwords.
3. Audit and Protect Your Digital Assets
Take stock of all equipment and establish security policies. You need to know exactly who uses which devices, who takes their computers outside the office, where the machines are being used. Educate employees about unsecured WiFi networks and mandate that they only use secured. Have a plan in place for times when a computer is lost or stolen to prevent outsider access. Tell employees to lock their computers every time they leave their desks.
Don’t forget about the dangers of USB storage devices. Make sure everyone knows how dangerous it is to insert unfamiliar USB drives into company machines and consider using some form of USB security.
4. Secure Your Cloud-Computing Tools
While most people understand the need for caution when it comes to USB devices, do you or your employees recognize the potential threat of cloud storage and collaboration applications?
PCMag published an article that breaks down CODE42’s data exposure report and revealed that services like Microsoft OneDrive, Google Drive, Dropbox, Slack, iCloud, and WhatsApp are not only used by employees but are actually sanctioned by the company. You should understand that, while helpful and easy to implement, these apps facilitate the insecure moving of data outside the company. The danger, CODE42 reports, is that "information security teams lose visibility to data and thus the ability to protect it." There’s the risk that employees may accidentally expose confidential data to an unsecured cloud location.
This article from InfoSecurity Magazine is a great resource and includes some best practices for cloud computing, like “ensure employees understand which services are approved and which are not, how to properly secure their services, and what types of data must be stored where and how.” In addition to implementing and enforcing safe cloud computing policies, consider a cloud security provider like Cisco Cloud to add multiple layers of protection.
5. Invest in Cybersecurity
When it comes to security, don’t skimp on the budget. While some methods of prevention like policies and procedures are free, you need to invest in a variety of safety solutions. Antivirus software, while helpful, isn’t enough. Consider multi-factor authentication solutions and private cloud platforms.
You might do a great job of providing educational materials for employees, but sometimes outside resources are more effective. To ensure your team’s cybersecurity competence, provide professionally prepared training materials and courses like what The Security Awareness Company offers.
6. Prevent Email Phishing Victims
Email is still the main form of work communication and it still poses a huge security risk - especially as an accidental insider threat. Phishers are becoming more sophisticated in the ways they design emails in order to collect financial, personal, and account information. They can accomplish this by including a URL or attachment. You may have seen these before. Most often they look like they’re from a person or company you know or trust. Examples include: a social media site telling you to update your password, an urgent request from your boss, or an email telling you to claim your prize.
One of the best prevention strategies is education. Share examples of these phishing emails with the team. Make sure they know what a dangerous email looks like. If users will just take the time to analyze a suspicious message, they’ll probably find that much of the email doesn’t make sense. Phishing.org is a great resource that offers more advice on what to look for.
It’s impossible to prevent phishers from sending emails. If you set up activity tracking software, you can have logs of every clicked email for investigation in the event that an employee does fall victim to phishing. And, in addition to reporting a phishing attempt to management, the FTC instructs targets of phishing to forward it to the FTC at [email protected] and the Anti-Phishing Working Group at [email protected]. You can also report the phishing attack at ftc.gov/complaint. And in the event that an employee does fall victim to phishing,
7. Monitor and Analyze User Behavior
One of the best ways to anticipate accidental data exposure is to understand how your team works on a daily basis. By analyzing workflows and reviewing user activity data, you can identify unintentional high-risk behavior, like unauthorized downloads and browsing unsecured websites. Accidental insider threats are difficult to catch because you have no reason to be suspicious of the offender.
With contextual user activity monitoring software, you can not only discover instances of dangerous actions, but you can determine the intent of the user by adding the context of the surrounding events. Some programs, like ActivTrak, offer a way to automatically rank users based on the number of risky activities they take. With a list of high-risk users and a log of their activities, you can provide coaching and help them understand why their actions could easily lead to accidental insider threats.