Experts in the integration of information technology David Upton and Sadie Creese believe that the most informational threat to the company constitute not hackers who try to penetrate from the outside, but their own employees who want to harm it.
Internal threats, where dangers take place
The actions of employees with information that contradicts the interests of the enterprise, represents an internal information threat. The results of such actions are the stoppage of the company’s work, economic damage, loss of information resources, loss of reputation, problems in relations with partners and so on.
Since all companies use labor resources, have corporate resources and possess information, the internal information threat exists for all companies and does not disappear by itself. The threat to the enterprise is the disclosure of information and its unauthorized change. Employees can cause intentional and unintentional harm to the company.
Intentional harm on the part of the employee
How urgent is the threat of intentional harm depends on the employees: their morality, honesty, loyalty, dedication to the company, on the relationship between the employee and the company. An honest and satisfied with the salary and working conditions employee who agrees with the company’s policy has no reason to harm it. An offended, professionally not realized, who does not share values and code of conductof the company has such reason.
Internal information losses
- disclosure of confidential information;
Information is laid out on websites, printed in newspapers and becomes public.
For example, an employee handed over photos of a new car to the newspaper. The firm suffered, as the public interest heated by the advertising campaign, disappeared.
- information transfer to competitors;
For example, an employee told competitors the date of the presentation of a new phone model. The firm suffered, as competitors planned their presentation on the same day.
- manipulation (change) with information;
For example, an employee reduced the purchase price in settlement documents. The firm suffered, having planned less expenses and not having bought necessary quantity of the goods.
- information deletion;
For example, an employee removed the phone numbers of customers from a computer database. The firm suffered because it can not serve customers.
How the Corporate information leaks:
- by e-mail;
- through copies on USB-drives, disks, paper copies;
- uploading of materials to file services;
- creating a photo on the phone;
- saving data to the phone via Bluetooth, USB or WIFI;
- a virus or a program that steals passwords or harms computer.
Considering the topic of the article – intentional harm, it should be told about the intentions of the employees-intruders that they are pursuing. The intention is divided into two types:
- Intangible. When a person wants to take revenge, get moral satisfaction for offense, harming the company. This is often the case in labour disputes and conflicts between employees and managers and employees.
For example, an employee transmits information to a competitor, as he was offended or undervalued by the company manager. The company suffered, losing intellectual property, valuable and unique information that makes them less competitive in the market.
- Material. The purpose in this case is the desire to earn extra money by selling information or tangible assets of the company, if the employee has access to them. A small salary – this is not always an excuse for this kind of fraud, rather a way of life and quality of a person who decided to earn extra money.
For example, the system administrator copied the database and secretly trades, offering to familiar competitors. Or important confidential documents were read by him and he decided to earn by selling them or informing others for a reward. It is evident that in such companies not only the material component is lost, but also the reputation, image and position in the market.
Internal information of the company is subject to dangers from staff and freelancers, contractors, trainees, partners – all who have access to the company’s technical resources and computer systems, for example, CRM, workflow, 1C, terminal connections and so on.
Companies need to think carefully and analyze all security weaknesses and use technical means and methods against them, from management to technical staff, for whatever short term employees come.
For example, a person in the guise of an intern got a job in a company, he was given access to internal systems to perform his duties. For two days he copied important data, which he was able to sell later. The reason is open access to confidential information. Let’s consider methods to protect the company’s internal information.
Methods of protection against internal threats
1. Limitation of access to information
- Provide access to information, to data, programs, projects if necessary or on demand. Not to all employees, but only to those who need it for work. Deny access after the end of work;
- Consider the depth of access: do not give full access to untested employees or those who have minimum rights to work;
- Keep an inventory of accesses, you need to know who has access and to what resources of the company;
- Close access to employees who are leaving the company;
- Change access passwords for new employees;
For example, an employee asks for access to the project. Find out why and for what purpose it is required and share these accesses within this project, do not open to him all the data that are not required for their work.
2. Checking and controlling the work of employees
Check the content of the work performed by employees, what and how they perform, does it meet the required indicators and what results did it bring. How time and resources are spent: what sites and programs are used.
For example, an employee works with important documents, and you need to understand what he opened, copied or compiled. In what text programs did he work and what did he do.
3. Outgoing traffic control: mail addresses, files size, messages content;
This type of control is not always required, it requires the use of additional technical tools in the company to analyze traffic and internal threats – it’s a DLP system. Employees send large letters, use attachments – who, are they addressed to and what is the content of the documents?
4. The prohibition on the use of personal devices: laptops, USB-drives, disks;
This method is suitable for a company or department, where confidential work is a priority. In the best way this is ensured by the prohibition of the use of personal technical equipment when working. The minimum precautions is the restriction to connect the computer to USB devices.
Employee inserted the device into a USB port – why?
5. Control of the life cycle of information: from its creation or receipt and to destruction or loss of relevance.
Do you agree that the greatest harm is brought by own employees, not by hackers?Share your information and experience: maybe you have your examples or cases of threats, how do you solve them?
What are the greatest risks for companies:
- Spread of information,
- leakage of information to competitors,
- corruption of information,
- removal of information,
- your option.