If you don't know where your sensitive data is and who has access to it – at all times – then you run the risk of losing it to your competitors or fraudsters. This could lead to hefty fines and loss of business which, together, could destroy your business.

If you have been drifting along in a state of blissful ignorance then this next statistic should pop your bubble. A survey carried out by the SANS Institute in 2014/15 found that one third of all businesses were aware of a so-called 'insider incident' or 'insider attack.' These are security breaches which have been deliberately or inadvertently caused or facilitated by an employee, contractor or other company insider.

As with all threats to our health and safety, prevention is far better than cure. The following steps will help to shore up your company's defences against sensitive data loss or theft.

Shore Up your Data Access Policies

In 2014, an Intermedia and Osterman survey named the 'Rogue Access Study,' revealed how a significant number of companies are putting themselves at risk of a security breach due to lax data access policies.

One major area of concern was the continued access to sensitive data by former employees. A staggering 89% of them retained access to company data across a wide range of apps and platforms from Facebook and PayPal to Salesforce and SharePoint. Worse still, 45% admitted that the data could be classified as confidential or highly confidential.

To keep control of this dangerous situation, business owners should ensure that employees are given only the minimum access they require to carry out their role. If their role changes, the permissions should be adjusted accordingly.

Before an employee leaves the company, their log-in credentials across all company platforms and applications should be supplied to IT services who can then remove all access across the board.

On top of restricting access to sensitive company data, employees should be restricted from frivolously accessing external websites. Hackers are known to specifically target insecure websites visited by company employees and using them to infect a company's network using so-called 'drive-by downloads' of viruses and other malware.

Clearly Separate Personal and Company Data

There is absolutely no point in building an ultra-secure company network if you are then going to allow employees to access it usingtheir own insecure applications and devices. In particular, personal applications that allow data sync and file sharing should be avoided as this is a potential route out for sensitive company data.  

There are many advantages to implementing a BYOD (Bring Your Own Device) policy, including the ability to enable remote working and save on hardware costs. However, when it comes to accessing sensitive data it is far more secure to issue company devices which can then be remotely erased should they be lost or stolen. If you do operate a BYOD policy, consider speaking to an IT consulting company about installing software that can separate personal and business data and remotely wipe the latter if needed.

Stolen company laptops are a common security risk so a robust encryption policy should be in place for these devices.

Use Automatic and Manual Intrusion Detection

In the case of a potential security breach, timing is critical. Intrusion detection software should be able to alert your IT security provider within minutes if there is evidence of malware or a data leak. This gives you the maximum time possible to contain the problem and limit damage.

Intrusion detection software should be in place wherever sensitive data flows within your company: data storage servers, email systems, web servers, active directory servers, etc.

In addition, every company should monitor employees' behaviour for evidence of potential insider attack. According to a Wall Street Journal article, sabotage or espionage is usually pre-meditated and clusters of anomalous behaviour can indicate a planned attack. For example, reduced work performance, breaking company policies, paying unusual interest to certain company activities and spending a lot of time in restricted areas should be seen as warning flags, particularly if they occur together. Perhaps an employee whose performance is slipping fears being fired and is seeking to steal IP assets to help them to set up a rival company or supply information to a competitor.

Embrace the Cloud

It may seem counterintuitive to suggest that sensitive data is more secure when it is being shared across multiple servers but this is often the case, especially when it comes to the bigger cloud service providers.

The economies of scale that make cloud computing so efficient when it comes to running virtual platforms and software also help to ensure the best security and intrusion detection measures are in place. Cloud providers are also right up to date when it comes to compliance and will enforce certain security measures (e.g. frequent password updates) which can lapse in a private business network.

Educate your Workforce

Human error is at the heart of almost every security breach. Providing inappropriate access to data, failing to install security patches, allowing access to insecure websites, using an insecure third-party app... the list of potential mistakes is almost endless.

The single best way to prevent a security breach is to educate your employees about how they can best protect company data. This can be done through regular workshops, videos and vulnerability assessments. The key to success is ensuring that training is consistently applied across the company and regularly updated to take account of new threats.

To summarise, there are five areas to attend to to maximize your chances of losing control of sensitive data. You need to restrict access to those who require it and, even then, only for as long as necessary. Company devices are preferable to BYOD. However, if you do need to allow personal devices, restrict access to non-sensitive data as much as possible and ensure that all business data can be instantly and remotely erased by your IT department. Robust and rapid intrusion detection software should be supplemented by manual behavior monitoring. Finally, all of the above should form part of a comprehensive in-house security policy and training program.

About the Author:

Brent Whitfield is the CEO of DCG Technical Solutions Inc. DCG provides specialist advice and IT Consulting Los Angeles area businesses need to remain competitive and productive while being sensitive to limited IT budgets. Brent has been featured in Fast Company, CNBC, Network Computing, Reuters and Yahoo Business. https://www.dcgla.com was recognized among the Top 10 Fastest Growing MSPs in North America by MSP mentor. You can follow him on Twitter at @DCGCloud.

On the Web:

2014 Intermedia/Osterman Rogue Access Study: https://www.intermedia.net/Reports/RogueAccess  Last accessed 8/26/2017

2014/15 SANS insider threats study: https://www.sans.org/reading-room/whitepapers/threats/insider-threats-fast-directed-response-37447 Last accessed 8/26/2017

References:

Law Technology Today: http://www.lawtechnologytoday.org/2016/07/how-to-prevent-a-security-breach/ Last accessed 8/26/2017

IT Business Edge: http://www.itbusinessedge.com/slideshows/show.aspx?c=79585 Last accessed 8/26/2017

Observe IT: https://www.observeit.com/insider-threat/ Last accessed 8/26/2017

Deloitte: http://deloitte.wsj.com/cio/2014/08/07/the-behavior-patterns-that-can-indicate-an-insider-threat/ Last accessed 8/26/2017

You will also like:

Incident Security Response - AccessEnum [FREE COURSE CONTENT!]