While organizations are increasingly trusting their employees and others who have insider access to keep information safe, most in this group believe it’s actually not their personal responsibility to do so.
Shocking, right? People across the entire business are now targets for cyber criminals, so everyone from the top down should take responsibility for information security and risk management. But they’re not.
Let’s take Ben as an example. He is been a member of the sales team at his company for nearly two years. Although relatively successful in his role, he is rather bored with his job and often complains that IT security policies get in the way of real progress.
Since Ben works remotely, his IT team has given him administrator access to his machine. Ben used to only log in as an administrator if he needed to do simple things requiring administrator access — things like installing a new printer or downloading and installing new drivers. More recently though, Ben has been working from his administrator account “because it’s just easier”.
Ben has no ill intent toward his employer, but he does not hesitate to install software from unauthorized sources if he thinks he needs it. The company’s IT director is aware of Ben’s actions, but makes no effort to address Ben’s behavior since “pretty much everyone does it anyway” (making the IT director equally guilty of being a negligent insider).
One day, while working on a sales presentation, Ben began searching the internet for new icons, and discovered what he thought was an icon generation program, which he promptly downloaded to his system.
Unfortunately for Ben, what he downloaded was malware which allowed an outside attacker to breach the company network via Ben’s computer, obtain access to the company’s customer database and subsequently steal private customer information.
This is a perfect example of negligence, and it can severely impact an organization’s bottom line, with costs ranging significantly based on the incident (the average incident cost due to negligence is nearly $207,000).
The good news is that there are steps to mitigate the negligent insider threat, and proactively address employees or contractors in your business seemingly have no regard for information security policies. At NTT Security, we recommend the following:
- Implement “protecting information security” into each employee’s goals and objectives, ensuring each of them knows there is personal responsibility for protecting company data that comes with being employed by your organization.
- Implement security awareness training. Effective security awareness training can increase an employee’s understanding of the impact their actions can have on the organization.
- Implement a “no tolerance” policy, and ensure employees and contractors understand that intentionally circumventing information security policies will have consequences.
- Provide administrator-level access only to those for whom that level of access is critical to their role.
For more information on the negligent insider threat, or other types of insider threats that could be lurking in your business, download our Q3 ‘17 Threat Intelligence Report.