Of major security breaches in 2014, many were not caused by hackers in some foreign land or the dark underbelly of cyber crime but, rather, by company employees acting maliciously or even just being careless. In the coming year, companies can expect to face many of the same threats and more. With hackers, criminals, foreign entities creating new and more sophisticated ways to gain access to valuable data held by companies and healthcare facilities, organizations should begin by minimizing the threats that can be more easily controlled. Internal threats can be devastating when they lead to a breach of data or inappropriate access to secure systems. Compounding the damage is the realization that a breach could possibly have been foreseen and avoided.
Malicious Internal IT Security Threats
Whether disgruntled or just greedy, can you really assume everyone in your organization has a heart of gold and would never steal data that could compromise your company, your clients or patients? In two separate incidents in 2014 Home Depot insidersgained access to customer data as well as the data for other employees to either sell the information or to use it to obtain credit cards using the stolen information.
Access Control to Minimize Malicious Threats
The Home Depot employee who was caught selling customer information had legitimate access to the information. But we do not know if that access was really necessary to his job function. Access control is critical to your company’s security.
- When an employee resigns or is terminated, revoke access immediately and change passwords or codes as necessary.
- Only grant access that is necessary to an employee’s job function. If full access is not necessary, allow only partial access when possible.
- Review user credentials regularly. A periodic review could catch any missed employees who left the company or even just left a department or job function within the company that changed their need for system access.
Careless Internal IT Security Threats
Even the most well-intentioned employee can make a mistake. If they are not aware of the threats and the risks, they could potentially make a very costly mistake. Employees with remote access into your systems are especially vulnerable and may not realize the careless ways they could be putting your company at risk.
Security Training to Minimize Careless Threats
Do not assume your employees are technically savvy or have IT security on their minds when they are accessing critical systems or data. Even when employees are not made aware of potential risks, they may themselves become a threat to your organization simply by being good natured and too trusting.
- Limit remote access if possible but train employees to only access your systems from off site or from mobile devices that are secure and using a known, secure network.
- Teach employees to recognize threats that could use their own good intentions against them. Phishing attacks are on the rise and they have evolved beyond the money laundering scheme emails from foreign countries. Hackers and social engineers may be quite creative and could use a little piece of information about your company to trick employees into releasing more.
- Keep an open dialogue within your company about IT Security. Use our free, monthly IT security tips to give employees memorable bites of information and to remind them often to be safe.
Curious Internal IT Security Threats
We saw news this week of an employee at an Ohio hospital being fired after snooping in patient files apparently out of simple curiosity. This may have been pure voyeurism, the employee may have just been bored, but this extracurricular access poses a grave security risk and a serious HIPAA violation for the hospital. We have seen examples of employees looking for information on family members and people they have been involved with in relationships that did not end well. The liability concerns for such irresponsible employees are real, especially for facilities and companies that store healthcare data.
Policies in Place to Minimize Curious Threats
The employee in Ohio is really not an isolated incident. In 2013, a nurse at a Tampa hospital accessed the private medical records of relative and shared the information with other family members. The damage done by such a breach is not isolated to the family or the person whose information was compromised. Curious, snooping staff pose a real risk to their employers and jeopardize compliance. This is a risk that can and should be mitigated preemptively but, when it does occur, policies and disciplinary action should be enforced swiftly.
- Strong access policies should be in place to specify what is acceptable and necessary data access.
- Training and constant reinforcement of policies and expectations are necessary.
- A zero-tolerance policy should be made clear and swift action should be taken if such casual access to client or patient data is discovered.
Every organization must maintain an open dialogue regarding the best practices, policies, and expectations for responsible security and data access practices – along with clear consequences for actions that could lead to a breach. You may not be able to avoid every threat from external hackers determined to get into your systems or to find your valuable data. But the internal threats can often be prevented or significantly reduced by taking simple preemptive steps to protect your organization as well as your employees.
Subscribe below to receive our monthly updates which include a free IT security tip you can share with employees. Making our simple tips part of your internal newsletter or simply emailing them to staff may save your organization from an easily avoidable security breach down the road.