Imagine you are sitting at the Urgent Care facility and waiting for a test result. The nurse comes in and says, "Karen, fortunately, you do not have strep." Oddly, you are not Karen and you did not come in to be tested for strep. However, you immediately know you do not want to catch whatever the lady in the next room has. You are given a script for your diagnosis but on the way out the same nurse calls you Karen again and quickly double checks the script she gave you to confirm it is in fact yours and not Karen's.
Although it is the disgruntled/rogue employees who often make headlines, your #1 security threat is well-intended employees. Insider threats often come from accidental and/or neglectful actions. Believe it or not, these unintentional actions lead to security incidents and breaches more often than the malicious ones. As a matter of fact, a 2017 report from Keeper Security and Ponemon Institute states that negligent employees or contractors were the #1 cause of data breaches.
Clearly, confidentiality was not protected very carefully in this scenario. The nurse practically breached the lady's condition who was just one room away. She did not take time to confirm that she was speaking with the correct patient before she jumped in with a diagnosis. These types of scenarios happen all the time. Whether it's a healthcare facility or a completely different type of industry, well-intended employees make careless mistakes, especially in a fast-paced environment.
It's important to educate and reinforce physical security measures to protect your company from insider threats. Often insider threats consist of well-meaning employees who make poor decisions involving security. There's a variety of mishaps that take place at work.
Employees hold open the door for uninvited guests. They go against the security policies of the workplace because they are trying to be polite to others. Or perhaps they use a weak password (that is easy for them to remember) ignoring the policy guideline.
Other times employees forsake security risks to be more productive. They do not follow the written policy in an effort to save time. The employee walks away from his/her desk to use the restroom without locking their computer screen or locking up sensitive documents. Another example is walking away from a copier or fax machine that is processing private information before retrieving the document containing the sensitive information.
Some employees are easily scammed by social engineering techniques. These targeted employees are often public facing and inadvertently give away information that could be used to gain access to restricted areas or to private information all while having a friendly casual conversation with a visitor. These employees are friendly by nature and may leak confidential information during a lunch break without even realizing it.
Another type of breach of information is when employees fail to secure data that is no longer used. Failure to dispose of old records is one example. Clear computers's data before disposing of them. Data shared with third parties must also be managed carefully.
Train your employees about security and then test their knowledge. The best way to test them is to present them with fake exercises. For instance consider hiring a cybersecurity professional to perform a social engineering exercise at your company. Discover where the vulnerabilities lie with your employees' security behaviors and react by reinforcing the education of your employees and adjusting policies where needed. Post a list of security best practices to remind your employees to make the right choices.
Failure to recognize and appropriately address insider threats in the form of well-intended employees could be a costly mistake. The safety of your company's sensitive information is dependent on the implementation and ongoing practice of security measures that engage all employees and create an overall security conscious culture. Your employees are your greatest asset, but also your greatest point of vulnerability.
USB Drops: Would your Employees Take the Bait? Social Engineering Takes on Many Shapes
Top 5 Security Awareness Training Topics Insider Threats are Weakening Your Physical Security