Internal threats can be one of the biggest vulnerabilities a company may face. A disgruntled employee, especially a higher-level or IT employee, who has security access and administrative rights to networks and data centers can inflict a tremendous amount of damage to a company.
The best way to minimize this threat is to implement an internal audit process that identifies and records any privileged account credentials and terminates any accounts of employees who are no longer with the company or in need of their credentials. Once that process is implemented, the next step should be to monitor the activity of the employees with privileged credentials. An infrastructure should be put in place to track and log this activity and alerts should be set up to notify the appropriate people of any suspicious or malicious activity. Implementing this process could help avoid a potential breach, but at the very least it should minimize the damage.
Careless employees can be as dangerous as a disgruntled one. Employees who are not adequately trained on security risks pose a big problem. If employees aren’t required to have a strong password, are allowed to visit unauthorized websites, click suspicious email links, or open attachments from unknown sources they pose an tremendous security risk for a company.
BYOD (Bring Your Own Device)
With the increasing use of smart phones and tablets, today’s workforce is more mobile than ever before. The high-availability, constant contact that BYOD affords employees comes with additional security risks. The additional vulnerabilities come from:
- Lack of control and visibility to the data being transmitted and stored on a personal device
- The loss or theft of the device
- Lack of control over the devices being used
- Employees compromising cybersecurity
If a company does allow employees to use their own devices for work, it is essential they develop a comprehensive BYOD policy. This policy needs to encompass three objectives: resource availability, integrity, and confidentiality of stored data. The policy needs to factor in the needs of the entire company – not just security and IT. If the policy put in place is not aligned with all of the departments, employees are more likely to circumvent the security policy and safe guards in favor of their own user experience.
Some minimum security measures that should be implemented are:
- A registration process for employee-owned devices to go through before they are granted access to company resources
- A process to protect the confidentiality and integrity of the exchange between the data and services being accessed
- The ability to know who, what, when, where, and how enterprise data and services are accessed
- The ability to remotely wipe a protected environment if a device is lost or compromised
Because the equipment finance industry has regulations and compliance responsibilities and is dealing with sensitive financial data etc., it’s important to go above and beyond the minimum efforts to protect their data and their environment. Companies that are actively supporting BYOD programs need to consider an enterprise mobility management (EMM) and a mobile application management (MAM) solution to help manage the process.
Next up in the security suite: “New Technologies and Outside Hacks.”