Data leaks
can be extremely damaging for a company, whether they are accidental or intentional. It might surprise you to know that the employees of a company are just as much of a threat as cyber thieves. While less than 5% of cyber attacks come from an internal source, when they are internal they have more potential for major harm because employees know where to find critical information and how to maximize use of the data they steal.
Bank of America
faced a disastrous internal data leak in 2011 that was widely publicized. An employee sent account information on hundreds of customers to identity thieves. Bank of America lost around $10 million dollars and was forced to deal with a public relations nightmare.
Part of the reason
why internal data leaks are more dangerous is that IT personnel tend to focus their efforts on securing a company’s networks from the outside, but overlook internal issues. To shield yourself from an internal threat, you need to target the network, the host device, and the people who move and change data.
At the network level, you need to have controls in order to analyze network traffic and regulate the flow of sensitive data. Part of this includes training employees on how to handle this data. The human aspect of data security is one of the most prone to cause errors, so make sure that training is constantly emphasized.
Email and the Internet
are the two most common means of moving data out of your company. Make sure that employees have numerous controls about how they not only use their corporate email address, but their personal email address as well. To take an extra level of security, you might want to implement a “four-eye check” where a manager physically looks over the content of an email and who it is sent to before an employee sends sensitive data.
Obviously, a malicious individual could try to skip a four-eye check, so it might be a good idea to connect employees’ email boxes to that of their manager so their activity can be monitored. It’s not a matter of snooping—it’s a matter of security, whether it’s preventing an intentional or accidental mistake.
There are also excellent gateway options
that automatically monitor data sent out of your company’s network. Vendors like Barracuda, Cisco IronPort, McAfee, and other systems can flag terms that are sensitive, and track down data like social security numbers that should never leave your network. You can specify where such notices are sent, such as HR personnel or a security team.
As with all security issues, be proactive! If you detect a gap in your systems where an error could take place, it likely will sometime in the future. You can save your company from lawsuits, extortion, and embarrassment by placing controls immediately.