CIOs ranked cybersecurity as a top goal in 2018, and cybersecurity continues as a key priority in 2019.
Travelers Insurance shared some interesting statistics that covered losses of more than one million dollars for a single security breach. Travelers’ five top cybersecurity risk categories include:
- Human error (such as stolen laptops and smartphones);
- Spear phishing , also known as social engineering targeted at employees; extortion; and
- Social and political “hacktivists.”
SEE: Information security policy template download (Tech Pro Research)
The average total cost of addressing and repairing any one of these breaches, according to Travelers, was in the multiple millions of dollars. That’s a lot of money, which starts with increases in liability insurance premiums and progresses into damage mitigation, brand damage mitigation, etc.
Most interesting is that three of these five risk categories are employee-centric. For instance, it is employees who lose or misplace phones and laptops, or who open innocent looking emails that commandeer company systems, or who get angry at the company, make off with critical files, and then try to extort money from the company in return for the files they’ve stolen.
Beyond HR employee and new hire screenings, it’s not always possible to know which employees are likely to become malicious–but there are several actions companies can take to improve overall employee awareness about security. Below are five ways to implement tighter security.
1. Carefully terminate an employee
If an employee is placed on leave or terminated, immediately disconnect the employee from all systems, networks, and building access points, and collect all mobile devices/laptops issued to the employee. Then walk the employee out the door. Activities like this might seem callous to other employees, but it is necessary in many of today’s highly proprietary environments.
2. Install zero trust networks
When you install zero trust networks shadow IT (and every other IT asset) can be monitored. A zero trust network only admits individuals authorized for network access. That means that if an end user goes around IT (and IT security) in an effort to fast track the launch of an application, he or she will be denied access to corporate IT data and resources when a network connection is tried. A zero trust network is a good way to enforce security, and it also offers easy ways to track and trace unusual attempts at access and/or unusual network usage patterns.
SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)
3. Limit information transfers to BYOD devices
Because BYOD devices are used at home and at work, they are easy to lose, misplace or misuse. A sound approach is enabling mobile access and storage of corporate data on the cloud only.
4. Discourage password sharing
As old as the password sharing security blunder is, it’s still happening. Users should be regularly reminded never to share passwords–by their supervisors as well as by IT.
5. Put security a front and center
In one case, a technology company placed security information kiosks in its cafeterias so that employees could view. The move sent a message to employees that security and data privacy was of utmost concern to the company, and that it expected it to be a cultural value everyone subscribed to.