I read a recent post that has stuck with me. The question raised was how do businesses, especially midsize businesses, budget for insider threats: “Midsize firms simply cannot afford data breaches, no matter what the cause. [But] a company that considers insider threats can take preventive steps. Employees may require access to sensitive information to remain productive, but ensuring that appropriate security steps are taken is KEY to keeping a firm running as smoothly as possible.”
While applying policies such as “least privilege” or “implicit deny” may help keep the accidental data breach from happening, these policies will not prevent internal personnel or vendors who are intent on breaching your network from doing so. This is why it’s critical that you conduct business with the mindset that a data breach could be right around the corner. It’s always better to be prepared rather than surprised, or put another way, proactive rather than reactive.
Here are five ways your business can approach day-to-day operations with this perspective in mind:
The reality is that you probably cannot do business without BYOD, or Bring Your Own Device to work. This means that employees are accessing sensitive corporate data on their smartphones, laptops, and tablets. The best way you can be proactive is to develop and distribute a BYOD policy and train employees on the policy. Police your employees because the data they’re accessing is your corporate gold. Have them sign an agreement that their device can be wiped or better yet, only allow access through a web portal. Don’t allow email or documents on devices.
Compliance issues should be on your mind. Is your company covered under Gramm-Leach Bliley Act (GLB), Sarbanes-Oxley (SOX), Payment Card Industry Data Security Standards (PCI DSS), Health Insurance Portability & Accountability Act (HIPAA), or California Senate Bill 1386 (SB1386)? Does your company capture Personally Identifiable Information (PII)? Each requires compliance with different types of accountability, and each has its own set of stringent steps that a company must follow after a breach occurs. Be sure you’re up-to-date on the latest laws and rules so that your business is in compliance and not subject to a penalty or fine.
 SOCIAL MEDIA
Most employees use social networking sites for their personal use, but more and more are using their sites to talk about company business. Put your legal team to work and develop an easy-to-understand Social Media Policy. Distribute to your employees and train them with acceptable and unacceptable examples. In today’s social era, the best brand advocates are your employees, so give them social media tools to promote your brand – but educate them on how to use these tools that will benefit everyone without any surprises. You don’t want to wake up one morning only to discover that a Tweet, Facebook post, or Instagram image could put you out of business.
If and when a breach happens, first alert law enforcement, if required. Then alert your customers, stakeholders, and the media – and do so immediately. Don’t sugarcoat the situation. Above all, don’t ignore the situation hoping that no one finds out. You know someone will discover the breach, and you certainly don’t want that individual to run to the nearest media outlet without your knowledge. It’s never a good surprise when you find your company featured on page one of a newspaper or on an online news site with a headline similar to “XYZ Company Knew About Its Breach Three Months Ago.”
 PRACTICE GOOD PATCH MANAGEMENT
Believe it or not, patch management is important for both internal and external threats. Vulnerabilities eventually evolve in software. The older a piece of software becomes, the greater the chance that hackers will discover vulnerabilities. Patch management helps alleviate this issue because as vulnerabilities are found, they are patched by the developer. An internal threat can bring a payload in-house through USB, DVD, or other bootable media that can attack a particular vulnerability. If a vulnerability is patched, there is one less attack surface for the hacker to try in his/her attempt to gain a foothold.
To quote Nick Bradley, “Success hinges upon promoting and supporting a risk-aware culture, where the importance of security informs every decision and procedure at every level of the company. That means secure procedures need to become second nature, much like locking the door behind you when you leave home.”
What else would you add to this list? Please chime in.
Inspiration for this post:
“Budgeting for Insider Threats” By Fellow IBM Blogger Marissa Tejada
Image Credit: jscreationzs via FreeDigitalPhotos.net
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.