The Department of Defense has designated September as National Insider Threat Awareness Month. Their emphasis, of course, is on government agencies, quasi-government agencies and contractors working together to protect the integrity of national security information. The campaign, however, raises an important question for all businesses that rely on nonpublic personal information (NPI) – including the insurance industry.
It’s a long-standing “truth” of IT that users represent the greatest single threat to data security. But does it have to be that way? In this two-part article, we’ll explore different scenarios that may lead to data breaches and what agency leaders can do to mitigate or even prevent them.
The Unintentional Threats
There are several types of employees who can pose unintentional, but still significant, threats to information security. Let’s take a closer look at three of them.
Firstly, there’s the inexperienced user. They may know how to use the company’s information systems to get their work done, but their knowledge of best practices for data security is minimal, if not non-existent.
Secondly, we have the self-proclaimed IT expert. Unlike the inexperienced user, this individual has tremendous confidence in their IT skills. They do have knowledge, but often just enough to be dangerous. Their DIY approach to tech support circumvents the IT department and its carefully crafted security protocols.
Thirdly, and perhaps most dangerous, is the overly-helpful IT tech. They should know better, but in a well-intentioned effort to be helpful and get the team back to work, they circumvent data security protocols – just this once.
So how can you mitigate the risks posed by these individuals?
Training, training, training
The cybersecurity and data security regulations already implemented by a number of key states include an employee training requirement. (BTW, look for more states to implement regulations of their own in 2020.) A well-designed training program can turn your greatest vulnerability into your first line of defense.
The keyword in that statement, however, is well-designed. A once-a-year cram session of don’t-do-thises can actually do more harm than good by creating a false sense of security. To be effective, a program needs to include training exercises – preferably hands-on – to teach users to recognize and respond to various types of threats. Cybersecurity training also needs to be reinforced several times throughout the year. Dividing training into different workshop sessions is a great choice, but sending a simple email or short video reminder about best practices can be effective, too.
Create a Trust But Verify Culture
Many leaders understand the role that corporate culture plays in attracting talent and improving morale, but few realize the impact that it can play in data security. If an agency has a culture of fear, employees may be reluctant to bring their security concerns or data breaches to the attention of appropriate parties for fear of shaming or retaliation.
Additionally, many types of cyber threats rely heavily on social engineering. Spear phishing, for example, uses information gleaned from public sources or an early system breach to impersonate a high-profile individual with access to financial assets or valuable intellectual property. If an employee receives an urgent or irate email supposedly from a CEO or other key team member, though, they need to feel empowered to question its authenticity. Setting up two-factor authentication for high-value money transfers or information sharing can help protect your tangible and intangible assets, as can requiring two different individuals to approve such transactions.
Control System Access
Controlling system access is fundamental to cybersecurity. System administrators need to know which individuals have access to the various devices and information stores on the system – both in-house and remotely. Users’ access needs to be restricted to the information needed to complete their job tasks. Balancing security and ease of use can be a delicate balancing act, however, especially in agencies where team members wear multiple hats or change roles as they move from project to project.
System administrators also need to understand the information available through remote-access devices, whether owned by the company or individual employees and take appropriate steps to secure these devices. Employees need to understand what measures to take to protect company and client information when they’re out of the office. (After all, the best multi-factor authentication protocol is useless if an agent walks away from an “open” tablet or laptop to grab another cup of coffee.)
Team members need to understand the risks posed by unapproved applications and outside devices. Protocols for requesting approval for new software applications, transferring sensitive data, and authorizing external devices need to be clearly defined – preferably in writing. IT personnel and employees need to understand how these protocols work and why they are essential. Remember, too, that fast response times to such requests are vital to discouraging the DIY approach.
Finally, there need to be real consequences for violating data security protocols. This doesn’t have to mean terminating an employee for an unintended mistake, but every employee from the CEO to the newest hire or intern needs to understand that their actions impact the viability of the company as a whole.
Check back on September 25th for the second part of this series, which discusses how to handle intentional threats.