Our top 5 tips to reduce the risk of a confidential information leaks are to create a culture of information security, implement regular information security training and education, implement a malicious employee mitigation strategy, implement a high-security document shredding service and to have a security classification redundancy system. If you could benefit from free resources, templates, and assistance on implementing tighter information security, give us a call. Continue reading to learn more about how to implement these 5 tips.

privacy-plus-testimonial

Interesting Information Concerning Information Security

Before moving on to answering how to implement information security protocols, it must be discussed what data is most at risk, and who the culprits are most likely to be. According to one study (^), 73% of all data leaked is customer data, 15% is confidential corporate information, 4% of the time it is intellectual property and 8% of the time it is health records. What this means is that any efforts taken to bolster information security will want to pay the most attention and focus to protecting customer data.

In addition, according to a study by Vontu Inc. titled “Ponemon Institute’s Survey on Data Security Breaches” (^), the most likely threat to information security are not from outside your organization but within. The study found that 69% of  companies reporting serious data leaks stated that they were a result of internal employees. Of this 69%, 39% were the result of non-malicious employee errors and 30% were a result of malicious employee activities. As a result, our advice would be to put serious effort and a large portion of your focus on reducing employee errors, followed secondly by working to reduce the risk of malicious employee activity.

This can be done by following these five steps:

1. Create A Culture Of Information Security

Threat = Unaware Employee

Reducing the occurrences and risks of unintentional employee errors that result in information leaks all starts with elevating awareness and importance in the mind of your workforce. In order to make this happen, you will need to get information security ingrained as part of your company’s culture.

Some key components of implementing a culture of information security are to:

  • Clearly outline consequences to employees for not following security protocols
  • Reward employees for good information security and fostering a culture of information security (such as bonuses and recognition)
  • Appoint a chief information security officer to lead your initiative
  • Get entire upper management buy-in and visible support for and stressing the importance of the initiative to all employees
  • Conduct an annual information security survey of employees to gauge the success of your program and identify weak points to improve
  • Select a team of individuals, one from each department to be security awareness ambassadors
  • Piggyback and use special corporate events to convey the security message you want to relay to your employees

Some great additional reading:
https://www.cisco.com/web/about/security/cspo/docs/creating_culture_of_security.pdf

2. Regular Education & Training Program For Employees

Threat = Unaware Employee

Implementing a culture of information security on its own will not be enough to reduce your risk of unintentional employee confidential information leads. This needs to be paired with a strong education and training program. This training should include an annual review of your information security policies and manuals.

In addition, having monthly information security training sessions on specific topics is an excellent method to keeping information security top of mind and having employees well trained and aware of proper protocols. Different topics that can be covered are physical document destruction, information classification and handling, password protocols, malicious software prevention, identifying co-worker malicious activity or employees at risk of performing such activities, internet use, portable device use and internal network protection.

Plans for training should be put in place for each department specific to their work-flows and responsibilities. In some instances, it will be beneficial to bring in outside experts to conduct the training (ie. Network security for your IT department).

3. Implement A Malicious Employee Mitigation Strategy

Threat = Malicious Employee

In order to reduce the risk of malicious employee activity, you will need to have a comprehensive plan. Motivations for malicious behavior are varied, but include reasons such as corporate espionage, financial reward, or a grievance with an employer.

According to a study conducted by The US Secret Service and CERT, 92% of insider-related offenses were following a “negative work-related event.” As a result, the bulk of your strategy should surround reducing negative work-related events and how to identify such employees. The threat of malicious employee activity is too complex of an issue to implement simply one or two tactics and expect to see a reduction in risk to malicious employee behavior. Some of the key components that should be included in any strategy are:

  • Comprehensive manager training to eliminate risks of “negative work-related events” for their subordinates
  • Visual monitoring that employees are aware
  • Conducting in-depth employee background checks including multiple reference checks at the time of hiring
  • An anonymous malicious co-worker flagging system
  • A policy of assigning information access levels down to the individual level not to a group or department level
  • A regular malicious employee risk assessment, identifying any employees that you feel would be at risk of performing malicious activity and taking the necessary actions
  • Deactivate employee computer, access to company systems prior and access to important physical resources prior to or immediately at termination

Some great resources on this topic include:

http://www.isdecisions.com/blog/it-security/prevent-insider-threats-from-both-malicious-and-careless-activity/
http://www.networkworld.com/article/2280365/lan-wan/13-best-practices-for-preventing-and-detecting-insider-threats.html
https://www.securestate.com/blog/2011/02/24/means-opportunity-and-motive-point-of-interaction-awareness

4. Implement A High-Security Document Shredding Service

paper-trail-1557043

Threat = Dumpster Diving

If your organization does not shred hard copy information quickly after it is no longer needed, it is running the risk of having that information fall into the wrong hands. Such an occurrence can cost an organization millions of dollars and be financially crippling. An attacker (either an outside threat, a thief or a malicious employee may decide to raid a company’s dumpster to easily obtain very harmful documents. This same risk extends to attackers searching dumpsters for media storage devices such as retired computers, cell phones, CDs, DVDs, USBs or external hard drives that have not been cleaned properly. Even if files are deleted from these devices they can sometimes be recovered so you will want to make sure you have storage devices destroyed or cleared by a professional.

In terms of physical documents, the best solution is to pick a high-security document shredding service company that services your city and enlist their services. By working with an expert, you can ensure your documents are destroyed securely and recycled. In addition, such companies can often provide assistance creating and implementing policies, procedures and training for proper physical document security. If you would like this kind of assistance for your business, give us a call.

AAA-cert

5. Security Classification Redundancy System

Threat = Security Classification Errors

Another major threat is simply that people who should not get access to certain information inadvertently get access. This can because they are sent information over email that they should not have been sent or because they are granted security access to systems or files by accident or incorrectly.

As a result, you should have some kind of a redundancy system to have two separate people annually check your most important information to ensure each employee has the proper security levels.

In addition, as much as possible you should ensure that critical information is not easily shareable over email. This can be done my making key information visible only through a portal and not downloadable  and not having any kind of export option for the data.

Sources:
http://www.cuhk.edu.hk/policy/pdo/en/doc/inle0809.pdf
http://www.edtechmagazine.com/higher/article/2013/08/5-tips-preventing-data-loss-disaster
http://www.computerworld.com/article/2563307/security0/five-steps-your-company-can-take-to-keep-information-private.html
https://www.sans.org/reading-room/whitepapers/awareness/data-leakage-threats-mitigation-1931
http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/data-loss-prevention/white_paper_c11-499060.html
http://www.cio.com/article/2384855/compliance/most-data-breaches-caused-by-human-error–system-glitches.html