In 2019, one of Canada’s largest financial services companies, Desjardins, suffered a data breach that resulted in the data loss of 2.7 million people. The data breach affected 2.7 million people and 173,000 businesses, representing more than 40% of the credit union’s clients and members. This data breach, one of the largest in the Canadian financial industry, was not the result of an external threat but a malicious internal actor. This case highlights why it is paramount to safeguard business systems against internal threats as much as external ones.

According to a 2018 Cost of a Data Breach Study by Ponemon Institute, hackers and insider actors are the leading reason behind data compromises.  Businesses are beginning to address the need to safeguard their business systems to prevent employee-related data compromises. Here are five practical measures an organization can take to prevent insider threats.

1. Ensure your employee background checks are solid

Knowing who your employees are is critical to safeguarding your business systems from bad actors. Many organizations employ third-party security vendors to check employee backgrounds. Credit data, criminal and motor vehicle reports, lifestyle and behaviour are a few factors an organization must consider verifying before hiring new employees.  

2. Safeguard your business systems through employee training

According to a 2020 report by Ponemon Institute on Cost of Insider Threats, the financial burden of insider threats has shot up by 31% in two years to $11.45 million. The majority of attacks – 62% – are from negligent employees, while the remaining 23% and 14% result from criminal and credential insiders.

The first step in safeguarding your business systems should begin with employee training and refresher courses regularly. Train your employees on your company’s data security policies like keeping one’s password private, maintaining strong passwords, keeping an eye out for phishing email, educating employees on only installing approved software and with approval, locking their computer when going away from their desks and being vigilant when sharing sensitive information to name a few.

3. Limit access to data using access control systems

As much as you may trust your employees, it’s important to have security controls in place. . One of the most effective ways to safeguard business systems from internal security threats is through restricting access to information by levels. Companies may consider role-based access control as part of their security strategy:

Three basic rules can define Role-based access control

  1. A user can exercise permission only if the person has been selected or has been assigned a role.
  2. A user’s current role must be authorized for the subject
  3. A user can use permission only if the permission has authorization for the user’s active role.

Access control software, along with a security administrator, makes this simple to implement.

4. Safeguard your business against phishing and other social engineering attacks

You can also minimize the risks of phishing attacks with dedicated cybersecurity software that detect and filter out suspicious emails and links.

Multi-factor authentication adds another effective layer of security. Since most phishing attacks try to extract passwords from victims, having multi-factor authentication can prevent passwords from getting reset by cybercriminals. 

Security software can only do so much to protect your business systems and data from employee-targeted social engineering attacks. The best protection against targeted social engineering attacks is awareness and constant vigilance. You could consider having a dedicated training program to educate your employee about how social engineering attacks work and how they can be avoided.

We have detailed how you can safeguard business systems against phishing attacks in our earlier blog.

5. Have a dedicated BYOD and remote work policy

With more and more people working remotely, more personal devices are connected to business networks than ever before. Employees using their own devices may increase your company’s security risk since, typically, personal devices are not as well protected against cyber threats.

Using a Virtual Private Network or VPN server is one way to help personal devices connect to an organization’s IT network securely. A dedicated endpoint detection, protection, and response platform can further safeguard business and client data from cyber threats while allowing your employees to work remotely.

Conclusion

Cybersecurity threats are here to stay. An organization can safeguard business systems against cyber-attacks by creating policies that support a secure IT infrastructure. Some companies also use 3rd party vendors to ensure their IT systems do not have pre-existing vulnerabilities. PacketLabs is a Toronto-based penetration testing team that helps businesses uncover vulnerabilities industry standards overlook. You can receive free quotes on our pen testing services, and we’ll get in touch with you within 48 hours.