Here at Eze Castle Integration, we often talk about cybersecurity threats and best practices firms can employ to keep information safe. Just last week, we talked about computer viruses and the threat they can pose to your organization. You may think that your security efforts should be focused on external risks, but the reality is that the biggest security threat to your firm could be the person sitting right next to you.
PricewaterhouseCooper's 2018 Global Economic Crime and Fraud Survey includes statistics from a PricewaterhouseCoopers survey of executives about economic crimes. Several jarring statistics were provided, including:
52% of respondents who said they had experienced economic crime in the past 12 months said the main perpetrator of the most serious fraud was someone inside the organization, up 6% from 2016
24% of reported frauds were committed by senior management
68% of external actors committing the fraud are familiar with the organization, whether they are vendors, service providers, or clients
Anyone at the company with a certain level of access could gain control of sensitive information. This is why we recommend firms employ the principle of least privilege. In its simplest terms, this means only allowing access to data, documents and resources to personnel who need it. Members of the IT staff likely need more access than employees in the Human Resources or Marketing departments, for example.
We’ve talked about these before, but here are a few internal security best practices to keep in mind:
Maintain a strong password policy. In addition to creating a strong password and changing it frequently, be sure not to write it down or give it out. Creating a tough password means nothing if it can be easily discovered by a coworker. And remember, "password" is not a good password.
Use multi-factor authentication. In order to access certain systems or data, your firm should employ at least two-factor authentication practices. This means that in addition to providing a password for access, employees would also need to provide a separate PIN number, for example. For access to a data center, firms may want to use biometric screening as a second authenticator.
Take control of company-sanctioned mobile devices. What about when an employee leaves the firm? Can he/she still access company data and information from their mobile device? It’s important to remember that even if an employee leaves, access may not be automatically terminated. Firms should ensure they restrict access when employees leave and are also able to wipe devices remotely if necessary.
Just remember: when it comes to protecting your company’s sensitive information, don’t just train your eyes outward. Look inside too.