How to protect against insider data breaches

When someone talks about information data breaches, what are the first things that come to mind? Hackers? Corporate espionage? The model employee sitting next to you?

If recent history has taught us anything, it's that insider threats are alive and well in business – from fraud at JP Morgan to opportunist cashiers at high street banks. We don't want to think that employees we trust would commit security breaches, but Gartner estimates that 70 per cent of security breaches occur as a result of internal sources. In a survey conducted by Research Concepts and Absolute Software, nearly 40 per cent of IT professionals believe that their own employees – including those with access to passwords and encryption keys – are responsible for the majority of computer theft. In most cases, we're not looking at corporate spies or crimes of opportunity. Instead we're seeing good employees with not-so-perfect security behaviour.

As laptop computers become more prevalent in business, IT professionals face the new security challenge of protecting hardware and company information that is increasingly mobile. In this environment, the loss of even a single laptop can result in a business-jeopardising data breach. The risk of exposing customers and employees to identity theft is also becoming a common public concern; the prospect of heavy ICO fines coming in to play for serious data breaches (up to £500,000) will force companies to be more proactive about the security of personal data. Honest mistakes do happen, but there are things you can do to help avoid breaches caused by an insider.

Take a multi-layered approach

With the proliferation of laptops, online chat, peer-to-peer file sharing and handheld digital devices in firms today, no single security measure will provide adequate protection for sensitive company information and expensive hardware. For this reason, organisations should take a multi-layered approach to laptop security that incorporates physical deterrents, robust IT asset management and post-theft measures such as hardware recovery and remote data deletion capabilities.

Here are six important steps for proactive management of mobile computers and the sensitive information they contain.

1. Set company policy

The first step in protecting your company from data breaches is setting a reasonable code of conduct for the use of technology in the workplace and creating a culture of responsibility. The most essential actions include:

• Identifying information that strictly cannot leave the branch or office premises
• Agreeing on software or hardware products that are not permitted for use on company equipment
• Educating employees on company policies and security measures so they feel integral to security, and take responsibility for it themselves

Having set appropriate policies and rallied employee buy-in, the next challenge is ensuring that the policy is enforced by emphasising common sense and taking advantage of readily available technology.

2. Protect against physical theft

Physical deterrents and common sense provide an effective first line of defence. Locks and cables should always be used to deter thieves, but like car door locks, shouldn't be relied on exclusively. Users should bring their laptops with them or lock them out of sight when taking them along is not possible. To keep laptops inconspicuous, cover them when they're in the car and opt for a non-descript case over a tell-tale laptop bag.

3. Implement technology for data protection

Encrypt your sensitive data and password-protect your systems. Every laptop user should choose a complex password made up of numbers and lower-case and upper-case letters, and regularly change those passwords. Also make sure that users have access only to the information they need and not to everything on the network, and regularly review those access rights. Plus keeping your anti-virus software, firewalls and other common software programs updated and patched will reduce security holes.

4. Set up effective asset management

Knowing where all your computers are, what is installed on them and who is using them is a powerful security measure. Malware can hide in those fun programs that employees think are harmless to download. You should use an IT asset management software and service that allows you to track laptops regardless of their location and includes the ability to detect unauthorised hardware changes and software installations.

5. Back up critical information

No security measure can provide a 100 per cent guarantee that laptops containing company information are not lost. Regularly back-up critical information to minimise losses in the event that a laptop is stolen or goes missing, and you'll know what information a criminal might have access to on that laptop.

6. Create post-theft plans

Consider the consequences of a criminal searching through one of your company's laptops for some value they could exploit. Post-theft recovery software is now a reality for businesses of all sizes. You should use a solution that can help recover lost hardware as well as remotely delete data. This keeps the wrong people from accessing your information in a worst-case scenario.

A firm's greatest asset is its people and mobile computers are worth far more than the cost of the hardware. Mobile access to information should be considered a strategic advantage for an organisation - not a potential liability. With thoughtful planning, effective organisational policy, and the use of new security technologies, firms can safely benefit from the enhanced flexibility and productivity afforded by laptop computers while reducing insider threats.