IT-related threats originate from multiple angles, all of which require proper attention and application of mitigation techniques. Perhaps the biggest threat to a company’s IT security is their internal contacts (staff, vendors, contractors, etc.). Many companies are utilizing heightened IT security measures, but fail to account for the negligible or malicious actions from these internal contacts who often have high-level access to company systems. Inside access often isn’t monitored and can easily lead to stolen data or corrupted systems.
Cyber-attacks are commonplace in the news as of late. Breaches impacting large corporations are in the news daily, damaging the company’s integrity and affecting millions of customers. Their brand reputation is compromised, and they likely end up spending significant dollars on damage control, vulnerability mitigation and disaster recovery. In some cases, these companies must also replace their CEO and CIO. It is for this reason that adopting a strong cyber risk mitigation plan is essential. While an insurance program can help to mitigate the financial loss, the damage to your company’s ability to operate and your reputation could be much more detrimental.
A recent article in The Harvard Business Review goes into graphic detail regarding the financial and brand impact a cyber-breach can have on a company. Here are several IT threats to consider:
- Unprotected or lax vendor security – Who, outside of your company, has access to your files (hard copy or electronic)? Who can access your buildings and offices? Your data is stored in the Cloud. How secure are the Cloud servers? Who manages them? In what country are they located? And who are the other tenants cohabiting on the server?
- Personal devices used for work – Employees want to bring their favorite tech device to work and plug it into your network. They will also pop USB drives into the systems without considering the risks.
- Social media – Everything from romance scams to cyber blackmail are initiated through social media sites such as Facebook, Twitter, and LinkedIn.
In order to mitigate cyber risks, companies should consider the following:
- Create a relationship with a trusted advisor. Have an expert on-call who is trained to identify scams and phishing attempts and can help keep your information safe from unknowledgeable staff.
- Monitor your staff’s actions. Employ a web filtering service that will stop malicious code from entering the network through the web and also record staff’s surfing sessions. Reports should be viewed regularly to identify suspicious behavior and search trends. The service can also be used to prevent users from visiting potentially dangerous and unproductive sites.
- Educate your staff. Instruct staff on how to spot phishing and scam attempts. Often, malicious outsiders will coax an insider to feed them sensitive data or grant them access to the company systems. Staff should also be aware that they should never plug a home or unknown USB device into their work computers without approval from IT first.
- Filter your incoming e-mail. Similar to web filtering, a mail filtering service will prevent 99% of spam before it reaches the company server or user’s inbox, greatly limiting the potential of an infected attachment or phishing attempt to reach the user.
- Consistently review staff security accounts. Ensure each employee only has access to areas of your system that they need to do their job. If employees are changing positions or moving between departments often, have a checklist prepared for IT to ensure that they are removed from old security groups.
- Adopt an insider policy. A strong cyber security policy will demonstrate to the staff how seriously the company takes the security of data and systems. In addition, it will provide guidelines on proper system use and threat handling procedures.
Creating a strong IT security policy and educating employees on potential security risks will boost your company’s resiliency against internal IT threats.
About the Author
Jon Edwards is the IT Manager for The ALS Group. You can read more about Jon or contact him here.
Click here to request more information about The ALS Group or developing and enforcing an IT security policy.