security lock.jpgWhen you think of a security threat, what comes to mind? A ransomware attack? A thief drilling into your vault and stealing your money? An unpatched vulnerability that could expose sensitive data?

While all of these threats represent external forces, it’s just as important to remember your internal threats, too. In this post, we’ll discuss a few ways you can stay on top of insider threats to your organization’s data and reputation and take appropriate steps to protect your employees–not just from outsides, but from themselves.

Employee training

The big, obvious insider threat here is that bad actors can manipulate unsuspecting employees into handing over sensitive information. Consider implementing training that doesn’t just make people aware of potential threats but actually embeds security practices throughout the business so that an employee doesn’t have to decide if they’re being tricked. Building a culture of security from the ground up with periodical training refresher sessions is much more effective than just a few training sessions alone.

Secure access controls

Admin privileges are not candy–don’t just give them away. Only grant admin access to a few trusted people, and terminate it when necessary. If any employee leaves the company, it’s wise to change network and other passwords.

Two factor authentication

Two-factor authentication has become more exalted amongst companies, but a critical component of a strong 2FA strategy is having the right authentication. SMS text is NOT a secure secondary form of authentication, as security researchers have stressed and as Reddit found out in June. It’s easy for hackers to intercept incoming calls or text messages and have them rerouted, effectively dismantling 2FA’s effectiveness. For accounts or systems you value, set up 2FA with an app like Google Authenticator or Duo Security that generates a one-time code to your mobile device.

Don’t forget

Security is only as strong as your weakest link. Many companies pour money into their firewalls, anti-virus, IDS and other security measures, which is great, but don’t forget about the people who already work inside your little fortress and hold the keys to the kingdom.  Remember, someone is bound to make a mistake–22 percent of unplanned outages in 2016 were due to human error, according to a Ponemon study. When a mistake does happen, consider if it was the result of a confusing policy or process and determine if it can be improved. You’ll also want a strong disaster recovery /business continuity plan that accounts for these kinds of mistakes (and other disasters) and can help you get back up and running as soon as possible.