Managing Security Threats from Within

4 Tips for Managing Cybersecurity Threats from Within

Most companies usually develop and implement cybersecurity strategies aimed at external threats. However, according to the Ponemon Institute’s and IBM Security’s 2019 Cost of a Data Breach Report,” cyberattacks from the outside only account for half of data breaches; the other half stems from internal factors, including system glitches.

When it comes to cybersecurity, the human factor is usually the hardest to control and predict. This is why some companies make substantial investments in employee cybersecurity training. While this is a proactive measure your organization can take, other factors you need to consider include increasing vigilance and eradicating poor security practices. After all, it only takes one careless employee for a full-blown damaging security incident to take place.

One also cannot discount the possibility of employing malicious insiders or having unhappy employees out to steal data or damage the company’s reputation. To prevent this from happening, below are four tips for managing cybersecurity threats from within:

1. Review and revise your security policy

The company security policy should include procedures designed to prevent and detect misuse of information, at a minimum. There should be clear guidelines on what constitutes misuse and how insider investigations should be conducted, as well as a statement on the consequences of misusing company resources. Your policy should also state the limits on access to and the dissemination of personnel data, particularly those under investigation, as well as restrictions on sharing or disseminating confidential data.

In addition, password protection and device usage should be covered in your security policy.

2. Guard your employees against social engineering

Employee cybersecurity training should cover social engineering. Although anti-malware and antivirus software are there to flag malicious emails, your best defense against socially engineered attacks is teaching your people to guard themselves against these. This is why your cybersecurity training program should simulate various modes of attack and teach employees the best way to react to suspicious requests. There should also be a testing phase after training to identify potential weak points among your employees.

3. Reinforce physical security

Guard your premises from physical theft and implement tight access control to critical infrastructure. If your company relies on keycards, you may need to rethink your current policies. Anyone’s keycard can be lost or stolen, or even innocently loaned by an obliging employee to someone they know.

To address this, you can apply two-factor authentication requiring both a PIN and keycard for access. But remember the unpredictability of the human factor? Some employees might still end up lending both their card and PIN to their colleagues. Your best recourse would be biometric authentication such as fingerprint or facial recognition scanners.

You should also provide employees with drawers that come with a lock and key for storing sensitive data and important files — just to make sure these are safe from prying eyes.

You may need to invest more, but it is worth it when corporate security is at stake.

4. Carefully screen new employees and vet suppliers

Background checks are standard in recruitment. However, it helps to delve deeper into each prospective new hire’s background to ensure that you’re not hiring a spy or, at the very least, the friend of a con artist or cybercriminal.

The same should be applied to third-party vendors and suppliers you plan to work with on certain projects. As much as possible, work only with those who implement and adhere to industry-standard cybersecurity guidelines.  A solid Vendor Management solution should be a strong consideration.

Shawn Corrigan

Shawn Corrigan

Shawn Corrigan is the President and Founder of Interactive Security Holdings Inc. Interactive Security has grown into a global company offering IT Compliance Auditing services for small to large companies - focused on making it obtainable, simple and affordable. With over 20 years in the BPO and Financial industry working at the executive level, Corrigan has experienced the pitfalls, trials and tribulations of bringing an enterprise organization into IT compliance. Corrigan has designed a methodology geared at guiding clients of any size to successfully achieve compliance and ultimately obtain compliance certification. Corrigan is certified as a FISMA – NIST Implementor, PCI-DSS QSA, HiTRUST Certified Practitioner and HiTRUST Certified Quality Professional, ISO 27001 Lead Auditor and Implementor