Just last week, we talked about network security threats and the best practices your firm can employ to keep information safe. You probably think that your security efforts should be focused on the outside - on external risks. But the reality is that the biggest security threat to your firm could be the person sitting right next to you.
It was mentioned by both eSentire’s Steve McGeown and Eze Castle’s Steve Schoener during our recent webinar that internal threats to security are just as likely to occur when it comes to cybercrime and security breaches.
A recent Wall Street Journal article, IT Protects the Company, Who Protects IT, included statistics from a PricewaterhouseCoopers survey of executives about economic crimes. Several jarring statistics were provided, including:
56 percent of respondents who said they had experienced economic crime in the past 12 months said the main perpetrator of the most serious fraud was someone inside the organization;
53 percent of respondents who saw a risk of cybercrime within their organization said there was a risk of it coming from the IT department – the highest percentage from any department; and
18 percent of frauds reported by respondents in 2011 were detected by electronic monitoring of suspicious activity and transactions, up from 5% in 2009.
But it’s not just a firm’s IT department that could pose a risk. Anyone at the company with a certain level of access could gain control of sensitive information. This is why we recommend firms employ the principle of least privilege. In its simplest terms, this means only allowing access to data, documents and resources to personnel who need it. Members of the IT staff likely need more access than employees in the Human Resources or Marketing departments, for example.
We’ve talked about these before, but here are a few internal security best practices to keep in mind:
Maintain a strong password policy. In addition to creating a strong password and changing it frequently, be sure not to write it down or give it out. Creating a tough password means nothing if it can be easily discovered by a coworker. And remember, "password" is not a good password.
Use multi-factor authentication. In order to access certain systems or data, your firm should employ at least two-factor authentication practices. This means that in addition to providing a password for access, employees would also need to provide a separate PIN number, for example. For access to a data center, firms may want to use biometric screening as a second authenticator.
Take control of company-sanctioned mobile devices. What about when an employee leaves the firm? Can he/she still access company data and information from their mobile device? It’s important to remember that even if an employee leaves, access may not be automatically terminated. Firms should ensure they restrict access when employees leave and are also able to wipe devices remotely if necessary.
Just remember: when it comes to protecting your company’s sensitive information, don’t just train your eyes outward. Look inside too.
Want More on Hedge Fund Security? Download our 'A Fund Manager's Cyber Action Plan,'
- Risks Employees Pose to a Firm’s Cybersecurity Posture: Unintentional & Malicious
Source: Wall Street Journal
Photo Credit: eHow