Thursday, April 16, 2015

Your employees are your biggest security risk


It seems that every week we read a story about another company that has been hacked and had its information and data compromised. Most companies believe that their greatest security risk comes from cyber terrorists overseas—nameless and faceless hackers sitting in some high tech hovel in some foreign country.

Your greatest security risk, however, comes from within—your own employees.

Case in point? This story, via Fusion:
In January, authorities arrested Eddie Raymond Tipton, the Director of Information Security for the Multi-State Lottery Association, a non-profit organization that runs multi-state games for 33 different state lotteries, on charges of fraud.… Tipton is being accused not just of claiming a winning ticket he wasn’t allowed to have, but hacking into the lottery’s random number-generator software to engineer a win for himself.… 
According to the court documents, the Multi-State Lottery Association’s random-number generator computers are disconnected from the Internet and kept in a locked, glass-walled room that is under 24-hour video surveillance. Prosecutors allege that Tipton entered the room on November 20, 2010, changed the camera’s settings to have it record less frequently, and inserted a USB drive containing malware that would manipulate the results of the upcoming lottery drawing.
I'm not saying that the threat from your employees comes from the type of malicious mischief of which Tipton is accused. With data security, sins of omission can be as deadly as sins of commission. Do you have a Bring Your Own Device Policy? Do you have employees sign confidentiality agreements? Do you train your employees on the evils of unsecured WiFi and what to do when a mobile device goes missing? If not, you are being cavalier with your data security, which places your entire business at risk of being the next big data breach story.