Data security for businesses is a major concern—one that even the biggest Fortune 100 companies sometimes struggle with. Major security breaches in businesses continue to make headlines as millions of sensitive records get stolen.
The damage caused by these breaches is felt not just by the companies whose records are stolen, but by their customers, suppliers, and business partners.
But, where should businesses begin when it comes to data security? Should data security start with firewalls, isolated networks, and the latest threat prevention software?
While the technology used to protect your business’ data is important to preventing data breaches, there’s another, more important starting point for preventing a security breach: your employees.
Why does preventing security breaches start with employees?
Employees are Still a Top Security Risk
Employees inside of your business are still a top-ranked threat to data security for businesses of all sizes. Numerous organizations cite employees as a leading cause of data breaches. In a 2015 cybersecurity report cited by the Wall Street Journal, “30% of breaches this year occurred as a result of employee error. Other common reasons for a breach included unauthorized access by insiders intending to steal company data and phishing attacks.”
Whether they’ve made a simple mistake or committed outright malfeasance, employees represent one of the biggest threats to your company’s data security. This is why security breach prevention starts with your employees.
Preventing Breaches: Employee Training
Since such a significant portion of data breaches are directly attributable to employee error, one of the first things your company needs to do is train employees in data security. The latest firewalls and antivirus programs won’t mean a thing if your employees don’t know and follow data security guidelines.
This is where employee training in cybersecurity becomes important.
One of the best ways to counter accidental data breaches caused by uninformed employees is to make sure that they’re informed. With a comprehensive training program in place, businesses can prevent or at least greatly reduce the risk of a data breach.
Training programs should include several elements, such as:
- Basic Data Security Awareness. From using strong passwords, to checking incoming email links and documents, every employee needs to have a basic understanding of data security.
- Specific Risks. After assessing what your company’s biggest data breach risks are, it’s important to add training elements that address specific risks that go beyond basic data security.
- Roles & Responsibilities. Every employee should have a clear understanding of what their role is in maintaining data security. Establishing a list of responsibilities for what to do helps to eliminate confusion and enhance each employee’s understanding of how they can promote data security.
- Testing. It’s one thing to sit in a boardroom and listen to a lecture about data security, it’s another thing entirely to remember and practice those data security measures on a daily basis. Periodic testing on data security standards helps improve retention of information about data security standards and practices. Additionally, this testing can help you find weak spots in the training that can be emphasized in the future.
Training helps ensure that employees are informed and prepared to follow data security best practices—but what about employees who intentionally abuse their data access?
Best Practices for Preventing Insider Misuse
Disgruntled employees and former employees are an enormous data breach risk in any company. Insiders can bypass many of the security measures meant to stop outside attacks with ease because of their access credentials. This is especially true of former members of the IT team who would have detailed knowledge of your company’s security infrastructure.
While stopping a data breach caused by a determined attacker with inside access can be difficult, there are ways to mitigate the risk and scope of the damage:
- Terminate ALL Unnecessary User Accounts. It’s not uncommon for a business to have numerous inactive user accounts for their infrastructure. These can be accounts meant for temporary workers, ex-employee accounts, or special extra accounts to give a permanent employee access to a specific system for a one-time job. Whatever the reason they exist, these spare, unused accounts are a data security risk that needs to be eliminated.
- Restrict Access to What’s Necessary for Work. Not every employee needs to have total access to every database. If your business uses virtualized infrastructure, you may be able to set and assign roles in your management dashboard to allow role-based access to specific virtual machines and data sets. By restricting access, you can limit the scope of an insider attack.
- Monitor Account Use. Monitor user accounts for signs of unusual access requests and behaviors. Tracking and logging account use can help increase traceability of the origin of a breach after the fact for compliance purposes. Setting up alerts to warn the security team of malicious activity helps enable faster response times and can even allow you to stop a breach that’s in progress.
- Background Check New Hires. Businesses need to know who their employees are. By performing background checks that include financial assessments and criminal history, you can identify who your biggest data breach risks are in your organization.
Any security chain is only as strong as its weakest link. By training employees, restricting sensitive data access to need-to-know job roles, monitoring for unusual activity, and thoroughly vetting new hires, you can strengthen the link in the chain that is your workforce—improving your company’s overall data security.
