Corporations Lose Data in Ways They Didn’t Imagine
Insider threats make up a large portion of cyber security risk. It’s a third of the risk when you manage sensitive data on your network. Most organizations think of cyber security risk and insider threats as malicious employees, but it’s not always malicious intent that leads to data loss. Negligence, phishing, malware, and other events are also the cause for data leaks. But the source of data loss doesn’t matter when it’s severe enough to cause lawsuits, investigations, and brand damage.
Bring Your Own Device
Many corporations have adopted their own BYOD (bring your own device) policies. They allow any employee to bring a laptop, smartphone or tablet and connect it to the network. It’s convenient, especially when you have employees that travel or need to take work home. BYOD is common even with smaller companies, but standards and policies should be used no matter the size of the organization.
The issue most organizations run into is that they don’t properly secure the network when users bring their devices to work. Users might have antivirus software on their machines, but the organization has no control over the content installed on the device or even if the device’s antivirus is updated regularly. This leaves an open vector for an attacker that wants to install malware on a network.
Larger organizations have a BYOD policy and then provide devices to the employee. This is a better option because the organization then has control of the device, its settings, and the content that’s installed on it. Think of a smartphone that users bring home from work. If the organization owns the device, then they can update the antivirus software and block it from being hacked. For instance, the organization can set the device to wipe clean should an attacker attempt to guess the passcode to access an iPhone or an Android.
Steep Fines for Poor Data Management
Fines for poor data management continue to increase as more organizations are found out of compliance. PCI compliance requires strict guidelines for data and steep fines should the organization fail to properly adhere to mandates. HIPAA is another regulatory body for healthcare organizations. Thousands of dollars can be fined to the organization with just one record breach, so it’s imperative for an organization to properly protect and store their data.
Even with the right policies in place, it’s still possible for an attacker to gain access to data due to employee negligence. This is where auditing and logging are necessary. For any record that contains private employee data, there should always be logging policies in place that indicate who had access to the records, who opened the records, and any data that was accessed. Some companies require a PIN from the customer, and without this PIN the employee is unable to open the records.
Monetary Loss is More Than the Obvious
Most organizations think of the obvious in terms of monetary loss. Lawsuits and brand damage are obvious results when data is breached, but other issues such as falling stock prices/valuations and a loss in productivity as pending investigations happen are the not-so-obvious.
It’s these unforeseen costs that can add up to serious cost/debt after a data breach. Some costs cannot be avoided, but providing the best in data protection and user education to help them detect cyber security threats will reduce the likelihood of a successful data breach from an attacker.
For social engineering and physical threats, GateKeeper will lock a desktop when a user walks away. This will provide physical protection from outside attackers that are able to gain entrance to the premises.