Protecting The Crown Jewels From Insider Risk for SME’s

Protect Your Critical Assets From Insider Threa

Every time an employee leaves your business, it places your Intellectual Property (IP) and Critical Data at risk.

Intellectual Property refers to your patents, trade secrets, copyright, trademarks and new concepts or ideas. Whereas, Critical Data applies to any function that attributes to the running of your business, including; business plans, sales/customer information (impacted by GDPR), rate plans, financial data such as; revenue, profits, stock price.

This post will focus on the importance of protecting  Personally identifiable information (PII) that is often listed in customer databases and stolen by departing employees. With new GDPR laws, companies have to report breached data to the supervisory authority within 72 hours. And if the security breach is likely to result in a high privacy risk for an individual, the individual will also need to be informed of the breach.

Thus, there has never been a more critical time to protect your data walking out of the door by your departing staff member or disgruntled employee, a failure to protect will result in untold financial and brand damage that may be difficult to recover from.

Here are some tips on what your business needs to consider.

At the outset of your business’s relationship with a staff member, it is important to have the minimum in place:

Your Culture:

Your Legal Agreement:

Your Technical Ability:

  • Implement monitoring tools that track the movement of critical data such as; files emailed to personal email accounts, excessive printing of confidential documents, copying of files containing strings such as bank codes, dates of birth.
  • Encrypt critical files to ensure authorised access only, with the ability to remotely remove access rights should an employee leave or exhibit disturbing behaviour.
  • Monitor compromised emails and passcodes that have been exposed to the dark web.
  • Implement an exit policy to close old accounts, remove access levels and close down redundant web pages.

Your HR Processes:

  • Include a detailed confidentiality clause in employment contracts and ensure staff members understand their obligations before signing the agreement.
  • Implement a data security onboarding process that covers the use and restrictions of managing data and staff members obligations to security.
  • Manage poor performance, weak leadership and disgruntled staff members as revenge, greed and bitterness are the main factors that motivate people to commit theft and destroy data.
  • Apply a process that manages high-risk staff members, including changing access levels due to changes in job role and restricting access levels for departing employees.
  • Implement exit interviews to continuously improve the way you manage departing staff members for continuous improvements in security.
  • When a staff member is terminated, redundant or resigns, instrument a process that ensures critical data is returned back to the company.

Should a data breach occur?

This is not a holistic list, however, for a small to medium business who have limited access to security experts, it highlights some of the basic security processes that will help protect your critical data.

Harrman Cyber operates with a conglomerate of data and security experts who provide cost-effective advice, solutions and outsourced expertise to help small to medium business protect their critical assets from a data breach.

Tanya Harris, CEO, Harrman Cyber and Cyber Security for SME’s

Follow Tanya on Twitter  

Connect with Tanya on Linkedin 

Tanya Harris CEO, Speaking Events

Past Events: Topic Women talk IT: Women in Security

Tanya discussed common data breaches and the link to insider threat, more importantly, how the insider threat can take on several different forms, and how the attack is usually initiated from within your network versus outside. In the past security has focused on solutions such as firewalls, antivirus and IDS/IPS. It is becoming increasingly important to recognise that technology alone cannot prevent insider threats, as technologies that stop one type of insider attack may not necessarily be effective against others. IT needs support from other divisions in order to effectively tackle this growing problem. When a company takes a multi-faceted approach to cybersecurity, by providing a comprehensive range of solutions such as access control, encryption technologies, employee engagement and training, they significantly increase their defences against insider attacks.

Past Event: AISA Sydney May 2017. Topic: Challenges how we look at Cyber Security.

Tanya discussed growing trends, changes to legislation, including ASIC’s focus on Board Members’ responsibility to Cyber Security, Europe’s new GDPR laws, and why insider threat needs to be at the core of protecting data.