Data breaches are surfacing across many organizations, and while one would often question the security of the compromised network, the issue may actually lie within the organization’s employees. A new study by Forrester found internal threats to be the leading cause of data breaches. The study spanned internationally to include Canada, France, Germany, the UK, and the U.S. and found that 36% of breaches involve the organization’s employees inadvertently misusing data. Additionally, the study unveiled that “only 42% of the North American and European small and midsize business workforce surveyed had received training on how to remain secure at work, while only 57% say that they’re even aware of their organization’s current security policies.”
As a reflection of the findings, data breaches are not only a concern from a technical infrastructure and configuration perspective, but also in providing education and awareness to the organization’s employees. Too often, end-users fail to understand the implications of clicking on an inappropriate link or inappropriately storing and disposing of data, or fall victim to a social engineering attempt.
Data Security Controls
Developing, implementing and adhering to controls can help mitigate the risks posed by internal threats and may include but are not limited to:
- Requiring security awareness training and periodic informational updates to all end-users
- Documenting acknowledgement of the security awareness training and informational updates
- Surveying employee awareness as it relates to data security
- Monitoring and maintaining control over external access and data downloads
- Protecting critical files from modification, deletion and unauthorized disclosure
- Disabling accounts and/or connections upon employee termination
- Preventing unauthorized removable storage mediums
- Identifying all access paths into organizational information systems
Don’t let your organization be the next data breach victim. Help promote data security awareness within your organization through recurring trainings and informational sessions. Several universities and organizations cover the topic and post articles for the public. Research Law Professor and Founder of Teach Privacy believes that the greatest threat to an organization is internal. Stanford University created a document with generic questions that may be asked about information security prior to a security risk assessment. The Software Engineering Institute and Carnegie Mellon University, in Pittsburgh, commented on seven ways insider threat products can protect your organization.
If you have any questions or concerns about your organization’s data security and/or awareness programs, please feel free to contact Eric Wright at 412-697-5328 or at firstname.lastname@example.org.
© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.