Five Tips to Protect Yourself Against Your Employees

That mid-level executive who walks out of corporate headquarters with a flash key that holds reams of sensitive data doesn’t feel like a hacker. But when – whoops – he leaves it on the kitchen table, your firewall has been compromised.

And when it’s picked up by his teenage son, who inadvertently downloads it to his hard drive (where it’s sucked up by spyware and sold to operators in Eastern Europe) the affect is worse than many hack attacks.

The scenario may seem farfetched, but similar tales make headlines on a regular basis: the lost laptop, the accidental emailing of personal information. Vast storehouses of sensitive data are released due to employee carelessness (or employee malfeasance). Your expensive firewall is rendered worthless.

More and more, companies are coming to a sobering realization: their own staff represents a sprawling security threat. In a recent report, McAfee CTO Christopher Bolin summed it up: “Unfortunately, be it deliberate or accidental, the reality is that today’s workforce is posing a serious security threat to corporations, one with the potential to damage a company’s brand, reputation and even entire business.”

Tightening Your Internal Security

The difficulty of safeguarding against your own employees, of course, is that they are inside the firewall. There’s no way around giving at least some employees at least some access to confidential information.

So what’s a company to do? To address that, Datamation spoke with McAfee executive Vimal Solanki, who noted that tightening up internal security involves two broad concepts: A) Defining security rules and policy (which includes defining exactly where your data resides – and where it shouldn’t reside), and B) Enforcing that policy.

Specifically, Solanki detailed these five points from McAfee’s report on improving internal security:

1) Develop, enforce, and ensure compliance of security policy

Step One is always developing a specifically defined security policy, and the McAfee report found that 84% of companies have done this (which makes you wonder about the remaining 16%).

A big part of this task is deciding who has access to what: the CEO obviously has total access to all documents, with access privileges tightening as you move down the hierarchy. Since even low-level employees need some sensitive data, the policy must define how – precisely, down to the night watchman – this information will be archived and distributed.

2) Safeguard data at every stage

A secure company looks at all channels of how data can leave the perimeter. The channels are divided into three areas, Solanki says: physical, network and application.

• “The physical is, once you have the right policy, you should be able to prevent printing of the document,” he says. “I shouldn’t be able to copy it to a USB drive or my external hard drive.”

• Network: “I shouldn’t be able to transmit this over my wi-fi connection when I’m in Starbucks, or just put it over an http transfer.”

• Application: “Once I have the data, I shouldn’t be able to email it, or put it on an instant messenger. I shouldn’t be able to use my Yahoo or Google personal email to send it out.”

Your protection must travel with your data. Not only should a staffer be policed at work, ‘But I should have the same policy when I’m sitting at a Starbucks,” he says. Ideally, even an employee sitting on a plane who attempts to access his email archive in prohibited ways will be blocked.

3) Access control and monitoring

Okay, you’ve got your policy, but is it being followed? “More importantly, there are industry regulations that require you to demonstrate compliance,” Solanki says. An airtight security infrastructure will block access, and it will also record the user, the time, and attach the document that he or she is trying to print.

Solanki describes this process with a tone of satisfaction right out of an episode of TV show CSI: “forensic evidence.”

This policy can be tighter still for employees who management identify as “at risk,” or who are about to leave the company. For these workers, some companies set up a system that records every single contact this individual has with sensitive data. “It can be done in a quiet mode, or in a more visible way that prevents the employee from doing it, and it pops up a screen,” he says.

4) Monitor and prevent installation and usage of unauthorized applications

“One of the biggest threats is that when I go to visit a seemingly innocent Web site, behind the scenes a keylogger is being installed on my laptop – that is the No. 1 issue today,” Solanki says. This keylogger allows a hacker to perpetrate identity theft by stealing all of an individual’s passwords.

“The identity theft business has gotten so sophisticated that if I wanted to rent a botnet – an army of infected machines – I can do that for a dollar a day per PC,” Solanki says.

Safeguarding against authorized apps includes building a tough line of defense on the front lines: all your workers’ PCs must have tough anti-virus and anti-spyware, and ironclad technologies to prevent the installation of a botnet app.

5) Educate and train your staff

Companies have wide latitude in terms of how they enlist their workers in security efforts. The stringency of these effort can range from a pop-up that informs users they’re breaking company policy (which Solanki notes that many users ignore) to iron-wall pop-ups that block action.

To be sure, staff training is urgently needed in battling security threats. For example, many security administrators were aghast that employees kept opening emails whose subject line was “I Love You” – long after it was identified as part of a massive virus attack. Clearly, employees represent a loose link – maybe the loose link – in the security chain.

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020

  SEE ALL
ARTICLES