In this series, ProCircular’s team of information security specialists will break down the top cybersecurity risks for small and medium-sized businesses in 2023. How do SMBs prepare for cybersecurity threats and prevent security incidents? Trevor Burke lays out the special precautions organizations can take to lower the likelihood of incidents caused by internal threats.
Protecting Against Insider Threats
When we think of threats to cybersecurity systems, we tend to think of hackers, foreign actors, rival corporate spies, and organized crime groups. These are all considered “external threats” because they originate outside of the organization. Internal threats, on the other hand, can be harder to detect because perpetrators inside the organization will begin with certain assigned privileges within the network. Some examples of internal threats include disgruntled employees, user negligence or misinformation, and shadow IT. Let’s walk through the statistics, weaknesses, and protections that will determine your susceptibility to internal threats.
1. The Numbers
According to Kaspersky and B2B International’s Corporate IT Security Risks Survey, almost three-quarters of companies are affected by internal security incidents. It costs approximately $86,000 for a small-medium-sized business to face a breach and $3.62M for the average organization to recover completely. With the cost of incident recovery high and rising, strategic prevention is a necessity. 1 in 5 serious incidents involves employees maliciously or erroneously compromising data security. Companies can implement consistent and “baked-in” user security controls to turn internal users into security assets instead of liabilities.
The most common weaknesses in end-user security stem from insufficient training, unintentional mistakes, clicking on phishing emails, saving sensitive data to personal drives, browsing unsafe sites, and conducting shadow IT (technical manipulation that does not align with the documented process, including the use of unauthorized software, systems, and devices). Employees are not usually motivated by malice. In most cases, the documented process is clunky, inefficient, or nonexistent, so workers adapt their actions to match reality rather than procedure. Other times, employees misunderstand the importance or expectations of the security policies they are meant to follow. There are a lot of cases where users run into security problems out of simple curiosity or playing around in the system. In any case, there is a severe risk involved in letting untrained users into your network. How do we efficiently train, protect, and monitor internal users to protect our sensitive data from any of these various threat vectors?
Security controls are more effective when they are “baked in” rather than “bolted on.” That means any process for any department is vetted for adequate security controls before being rolled out to the users. Your processes should be formalized, documented, and well-communicated to prevent intentional and unintentional diversions. This type of thorough and proactive security program supports a culture that prioritizes security as the path of least resistance. This cultural shift needs to come from the top, i.e., C-Suite, and avoid any punitive measures.
Education and Training
Education and training are also necessary to let users know the risks and expectations for security in their role. All training solutions are a little different, including in-depth seminars, phishing/social engineering tests, or hands-on learning activities. Shop around for security training that suits your company culture. While mistakes are inevitable, increasing user awareness will prevent a portion of security incidents caused by misinformation or a lack of awareness.
Finally, technical controls are much less susceptible to human error, and they serve as an excellent safety net for organizations facing any amount of end-user risk. Begin by assessing and maturing your existing technical controls by performing a penetration test. You’ll need to have multi-factor authentication (MFA), access control, data loss prevention, web-content filtering, group policy, and end-point protection. A penetration test will help you understand where security gaps exist and how to remediate them. After that, you’ll have to develop a plan for implementing those professional recommendations to increase resilience to internal threats.
Threat Management in Iowa and Minnesota
If you’re looking for accomplished experts to support your security posture, trust ProCircular. Proudly serving Iowa, Minnesota, and the entire Midwest, ProCircular is among the top cybersecurity companies in the nation. Our team can provide you with technical control and support, procedural development, and timely responses to whatever comes your way.