As a small business, one of the biggest threats to your information assets resides within your operatin. The insider threat, intentional or otherwise, is now one of the major concerns in cybersecurity, and with good cause.
So what exactly are the insider threats to small businesses, and how can you mitigate the dangers? We asked Jamie Graves, Co- Founder and CEO of ZoneFox to explain;
Within many organisations these days, users have more access to data than they need. Cloud storage services have created a phenomenon called Shadow IT, permitting users to save potentially confidential data to the cloud for future access, and with the (understandable) requirement of user-friendliness throughout IT assets, security controls are often disabled rather than tuned.
While the insider threat can be a pain in the backside, there are ways to protect yourself and keep your users happy simultaneously.
What is the insider threat?
In order to effectively defend yourself, you need to understand what you’re up against. The insider threat comes in many forms, but you can narrow them down into either malicious/intentional threats, or threats that stem from carelessness or lack of knowledge and skill within your workforce;
- You may have a user that thinks it’s okay to throw the classified document that they were editing up onto their favourite cloud storage platform so that they can access it later.
- One of your users may provide their credentials to a malicious third-party after being subject to a social engineering attack.
- You may have a malicious insider who is looking to steal or destroy data because they are disgruntled or under the employ of a competing organisation.
- In the world of startups and small businesses, security controls can sometimes be sacrificed to allow for speed of delivery, lack of knowledge, or user satisfaction.
Now that you better understand the threat, we can help you get a handle on the situation and prepare the right defences.
Defence #1: Create enforceable policies
Good documentation makes a good cybersecurity practice, and policies are a staple in said documentation. Policies back up your decisions, provide guidance for your cybersecurity controls, and give you a base for user education.
Acceptable use, privacy, and mobile computing are three base policies that should exist in most organizations. The policies exist to provide the following:
Acceptable use policy
An acceptable use policy puts parameters around how your assets can be used.
- Are your users allowed to store company data in cloud storage?
- Are USB drives allowed for backup purposes?
These answers and others should reside in this policy.
- Does classified data exist on the network? If so, how will your users need to handle it to avoid disclosure?
- What safeguards are in place to protect your users’ data?
- How is employee data stored and encrypted?
Mobile computing policy
Instilling a mobile computing policy lays out rules for mobile access to company resources.
- Do your employees take laptops home?
- How do they access company data remotely?
- Are there specific rules required for travel to high-risk countries?
- Mobile phones; are they provided by the organization or do you live in a BYOD world?
All of these mobile devices access your organization’s resources, your mobile computing policy dictates how.
Once you have a base set of policies in place, your next step is to educate your users about their existence, and what it means to them.
Defence #2: User awareness education
A user’s misunderstanding of technology or trusting nature can lead to potentially unwanted situations. Data loss, malware infection, and unauthorized access are just three of the potential threats you face when your users carry on with their business without proper security awareness education.
Facilitating user awareness training is pretty straight-forward in theory, although not always easy to execute. Initially, you will need to provide live training; in person if you have a small team in a central location, or online via webinar if your team is larger and decentralized.
Some of the topics you will want to cover will be:
- Existing security policies: how to adhere to their rules for better protection of organizational assets
- Phishing email: what to look out for, and how to examine messages for authenticity or malicious content, such as macros
- Malware handling: what to do (and who to call) should you get infected
Since your users are generally prime targets for attackers skilled and not so skilled, providing proper education for them can help shore up your defenses and help you mitigate the insider threat.
Keep in mind that your users may forget, so you need to ensure that you keep refreshing your users’ memories! Quarterly or semi-annual training wouldn’t go amiss.
Defence #3: Implement and maintain cybersecurity controls
Along with enforceable policies and educated users, you still need to maintain technical cybersecurity controls within your environment. Users forget elements of training, malicious users ignore policy, and accidents happen.
Here are a few examples of controls you can use to help ensure that your users are adhering to policy and best practices:
Endpoint data loss protection
Endpoint data loss protection (DLP) provides functionality to disable USB storage and block data transfers to cloud services. If you do implement this technology, make sure that you keep the policies relevant and up to date.
Endpoint malware detection
Endpoint malware detection has made some significant progress since the old, signature-based days. With new features such as containerization to help stop malware from executing, implementing this type of control can go a long way to helping prevent accidental launch of malicious executables.
The drawback? This type of technology may require a lot of tuning to ensure that your users can still do their work.
User behaviour analysis
User behaviour analysis can provide valuable insights into what your users are up to, whether they are adhering to policy, and if they are attempting to pilfer data or otherwise harm your organization’s assets.
The upside of these types of tools is that they are relatively low maintenance. The downside is that these solutions can be a bit pricey for small businesses, but worth it if they can be afforded.
Providing basic cybersecurity controls can go a long way toward mitigating insider threats in your organization. Although you will need to ensure that you’re maintaining your controls, monitoring and logging their output, and using your policies to derive standards by which they should be configured.
While the insider threat can be a plague to modern organisations, whether large or small, it is not an insurmountable obstacle. By creating policies (not too stringent) that add parameters within which your business can run securely, providing regular training to your users to help keep them sharp, and adding some technological controls on top to provide backup when your users slip up, you can go a long way toward mitigation.
About the author
This guide has been written exclusively for ByteStart by Jamie Graves Ph.D is Co- Founder and CEO of ZoneFox, an Edinburgh-based Cyber Security company. Established in 2010, ZoneFox, provides progressive security solutions that protect valuable company data and intellectual property against the Insider Threat, with its patented technology.
More on technology
For more help on tackling technology in your business, try these other ByteStart guides;
- Getting your IT right as your startup grows
- The ways small businesses can protect themselves from hackers
- Why small businesses must stay on top of web application security
- A Beginner’s guide to cloud computing for small and start-up businesses
- 5 Top small business tools that will save you time, hassle and money
More on starting and running your own business
ByteStart is packed with help and tips on all aspects of starting and running a small business. Check out some of our most popular guides;
- 5 things you must do when you go self employed
- 10 advantages running your business as a limited company has over being a sole trader
- How to set up a limited company
- How to choose the best online accounting software for your business
- 15 Questions to ask when hiring an accountant for your new business
Leading a business
- How to be a leader rather than a manager
- Developing your startup’s greatest asset – YOU
- The Founder’s dilemma – Managing the transformation from start-up to growth business
- Building your resilience to help you cope with the ups and downs of starting and running your own business
- Why the best leaders do less
Funding your business
- How to maximise your chances of securing a small business loan
- A Guide to ‘Alternative Finance’ – the new funding options for startups and small businesses
- Finding finance for your new business – funding advice for start-ups
- How peer-to-peer lending offers businesses a new funding option
- What to do when the bank says “NO”!
Money & Tax matters
- 10 ways small business owners can pay less tax
- Sole trader tax – a guide for start-ups and the newly self employed
- Dividend tax changes from April 2016 – A summary of the financial effects for small business owners
- ByteStart’s Guide to the main business taxes
- Corporation Tax – How to reduce your bill
Promoting your business
- 6 Easy steps to get better results from your small business website
- How to create business cards that make a big impression
- Making your small business a BIG hit online – A Digital marketing guide for small business owners
- The “Magic 10” Tips on networking – how the experts build great networks
- 10 Top tips for small businesses starting out with social media
- Which types of insurance must your business have?
- Becoming an employer – Your responsibilities when you hire staff
- Health & Safety compliance for small businesses – where do you start?
- A Guide to the National Living Wage for small business owners
- Why it’s vital you have clear ‘Terms & Conditions’ for your business