Expanding Insider Threat Security with Employee Training and Awareness
by Mike Vinton, on Sep 2, 2016 10:07:18 AM
When you think of “insider threats,” what comes to mind? Perhaps a disgruntled employee looking to hurt the organization or someone selling company secrets. But not all insider threats have malicious intent. Human error is certainly a leading cause of data breaches. Many incidents occur as a result of a mistake on the part of an unknowing employee, such as someone falling victim to a phishing scam that tricks them into sharing confidential information or covertly installs malware to reveal the information.
Phishing is one of the most common and costly insider threats. From lost productivity to replacing credentials to removing malware, an organization with 10,000 employees spends an average of $3.7 million per year dealing with fallout from phishing attacks (Source: 2015 study by the Ponemon Institute sponsored by Wombat Security Technologies).
Removable memory sticks (USB drives) are another potential source for “accidental” insider threats. A UK security firm found that an estimated 22,000 USB sticks are found by dry cleaners every year; only 55% are returned to the owners. In 2014, the Internal Revenue Service (IRS) reported that an employee had taken home and plugged into his personal computer a USB drive with unencrypted personally identifiable information on 20,000 IRS employees. While no breach was known to occur, the danger of such a breach is enough to cause some organizations to ban USB drives altogether.
Accidental insider threats, such as phishing scams or using an exposed or infected USB device, can effectively be limited through a number of strategies:
- Allowing access to only the data an employee needs to do their job
- Comprehensive file sharing policies and useful collaboration tools
- Employee training regarding security awareness and precautions
GTRI recently partnered with Wombat Security Technologies, which provides training that teaches employees secure behavior. Wombat’s program includes interactive online modules as well as simulated attacks and knowledge assessments that help organizations understand where the weaknesses are with regard to human error and potential cyberattacks. This approach has resulted in a reduction in successful phishing attacks and malware infections by up to 90%.
When it comes to protecting your company’s and your customer’s data from insider threats, it takes a many-pronged strategy. Training employees how to avoid accidental incursions is a key part of the plan.
Mike Vinton is Business Development Manager for Enterprise Sales at GTRI.