Whether it’s a contractor or service provider, a malicious insider, or a disgruntled employee, your company faces a daunting variety of internal IT security risks.
Users with too much access to sensitive systems can cause significant damage – by accident or on purpose. Sloppy email security practices can leak sensitive information or unleash viruses on your systems. And malicious insiders may deliberately try to steal financial information for the purposes of fraud, or intellectual property in order to sell it to a rival.
Underestimating the risks that can ensue from internal IT threats is obviously a dangerous strategy, yet despite this, internal security is not always high in the minds of SMEs. In fact, nearly half of SMEs do not have the means to monitor or filter internet traffic and employee online activity, according to a recent survey conducted in the US by security company GFI.
Two-thirds of SMEs in that study reported that they are more concerned about external security threats, compared to just 9 percent who are more concerned about internal threats. And nearly half of SMEs underestimate the impact that uncontrolled internal access to the internet can have on their organisation – in terms of network security, productivity levels and human resources issues.
The GFI survey also found that few small and medium-sized firms have rules or policies in place governing email storage or retention. That’s of particular concern, since email is the method most commonly used by employees to steal information, according to recent research conducted by Irish information security company Espion. (Old-fashioned hard copy printouts are the second most popular method, and mobile storage devices, such as USB memory sticks and data CDs, account for 10 percent of data theft cases.)
IT security: Analyse the risk
So how can you guard against internal IT threats? Start with a risk analysis of your data and systems. This involves determining the data you have, its sensitivity and the systems it resides on. This includes data used off-site, such as customer details on laptops used by travelling sales teams.
Next, create a classification system based on risk level. Financial information and transaction records are good examples of high-risk information. Meanwhile, customer data such as names and addresses that can be found in a phone book are examples of medium-risk data. Low-risk information could include marketing data that can’t be traced back to an individual.
The GFI survey found that 58 percent of SMEs have a formal policy on restricting access to sensitive data, but only 47 percent say they have a formal policy in place to categorise company data according to its sensitivity.
IT security: Get physical
You can improve the physical security of your systems by limiting the areas different employees are allowed into. All IT systems with high-risk data should be stored in locked rooms, with limited access.
Make sure that mobile storage devices, such as USB memory sticks and data CDs, are always accounted for, use encryption and, if not being used, are stored in a safe place.
IT security: Control access
Employees should be given access to data solely based on their job duties. For example, a designer working on one project will likely need access to only that project’s data and not any other project data.
Administrator (or ‘privileged user’) access, which is typically given to network, security and database administrators, gives users broad access to files and folders on your systems. They should be tightly managed as a potential source of a data leak.
In fact, widespread privileged user management (PUM) bad practice is threatening the security of European organisations, according to recent research conducted in Ireland and 13 other European countries by IT management software provider CA. The bad practices include sharing privileged user accounts (PUAs) – a practice that is frowned upon by auditors – and using default usernames and passwords when creating PUAs.
Access should be audited regularly and all employees who are no longer with the company should have their access rights revoked. Espion recommend that if there is a notice period after an employee is let go, the IT department should actively monitor that employee’s access to the network to make sure sensitive and confidential data is not being downloaded or send to the employee’s personal email account.
IT security: Use what you have
Remember that some access control measures are built in to most operating systems these days. These can be used to restrict use of certain files and folders to specific users. Make sure to use these settings across the company in order to restrict access to sensitive data and applications.
Even something as simple as a password-protected screensaver (which requires you to enter a password to return to the desktop) can make the difference between secure data and an embarrassing leak.
IT security: Create compelling passwords
Ensure that you have a password policy in place to protect your company’s data and make it more difficult for your system to be hacked.
Consider incorporating security policy training into each employee’s annual review.
In our follow-up feature we’ll look at tools that can monitor your network for suspicious activity and see how email security policies can help protect your systems against internal threats.
This article originally appeared in the eBusiness Live newsletter from Enterprise Ireland’s eMarketing Unit and was written by ENNclick.