Imagine you are sitting at the Urgent Care facility and waiting for a test result. The nurse comes in and says, "Karen, fortunately, you do not have strep." Oddly, you are not Karen and you did not come in to be tested for strep. However, you immediately know you do not want to catch whatever the lady in the next room has. You are given a script for your diagnosis but on the way out the same nurse calls you Karen again and quickly double checks the script she gave you to confirm it is in fact yours and not Karen's.
Although it is the disgruntled/rogue employees who often make headlines, your #1 security threat is well-intended employees. Insider threats often come from accidental and/or neglectful actions. Believe it or not, these unintentional actions lead to security incidents and breaches more often than the malicious ones. As a matter of fact, a 2017 report from Keeper Security and Ponemon Institute states that negligent employees or contractors were the #1 cause of data breaches.
Clearly, confidentiality was not protected very carefully in this scenario. The nurse practically breached the lady's condition who was just one room away. She did not take time to confirm that she was speaking with the correct patient before she jumped in with a diagnosis. These types of scenarios happen all the time. Whether it's a healthcare facility or a completely different type of industry, well-intended employees make careless mistakes, especially in a fast-paced environment.
Employees Do Not Understand why Policies Matter
It's important to educate and reinforce physical security measures to protect your company from insider threats. Often insider threats consist of well-meaning employees who make poor decisions involving security. There's a variety of mishaps that take place at work.
Employees hold open the door for uninvited guests. They go against the security policies of the workplace because they are trying to be polite to others. Or perhaps they use a weak password (that is easy for them to remember) ignoring the policy guideline.
Other times employees forsake security risks to be more productive. They do not follow the written policy in an effort to save time. The employee walks away from his/her desk to use the restroom without locking their computer screen or locking up sensitive documents. Another example is walking away from a copier or fax machine that is processing private information before retrieving the document containing the sensitive information.
Some employees are easily scammed by social engineering techniques. These targeted employees are often public facing and inadvertently give away information that could be used to gain access to restricted areas or to private information all while having a friendly casual conversation with a visitor. These employees are friendly by nature and may leak confidential information during a lunch break without even realizing it.
Another type of breach of information is when employees fail to secure data that is no longer used. Failure to dispose of old records is one example. Clear computers's data before disposing of them. Data shared with third parties must also be managed carefully.
Test Your Employees
Train your employees about security and then test their knowledge. The best way to test them is to present them with fake exercises. For instance consider hiring a cybersecurity professional to perform a social engineering exercise at your company. Discover where the vulnerabilities lie with your employees' security behaviors and react by reinforcing the education of your employees and adjusting policies where needed. Post a list of security best practices to remind your employees to make the right choices.
10 Best Practices to Include:
- Never walk away from your computer without first locking the screen. Do not leave sensitive documents on your desk when you walk away.
- Keep your data center locked and if possible, place a security camera nearby.
- Do not hold a locked door open for a stranger.
- Be cautious about the information you reveal during casual conversations.
- Properly dispose of computers or documents with confidential information.
- Carefully manage what information you share with others. Only grant access to various applications, confidential files and restricted areas of the building when vital to the work of the employees, partners or contractors.
- Enforce strong password policies and use multi-factor authentication when possible.
- Do not walk away from a fax machine or a copier while it is still processing sensitive information.
- Be cautious when sending emails with sensitive information and confirm that you are sending it to the correct party.
- Do not accept invitations on social media from people you do not know.
Failure to recognize and appropriately address insider threats in the form of well-intended employees could be a costly mistake. The safety of your company's sensitive information is dependent on the implementation and ongoing practice of security measures that engage all employees and create an overall security conscious culture. Your employees are your greatest asset, but also your greatest point of vulnerability.
Check out our other blogs on Physical Security:
What is IT Security worth without Physical Security? Employees should Watch out for Tabnabbing
Create a Top-Down Culture The Threat Within
USB Drops: Would your Employees Take the Bait? Social Engineering Takes on Many Shapes
Top 5 Security Awareness Training Topics Insider Threats are Weakening Your Physical Security