Last February, a discovery of a breach of customer data at Fifth Third Bank uncovered a troubling truth. It wasn’t foreign hackers that had accessed the information, but their own employees who handed over the data intentionally. Insider threats are a real and dangerous thing to your organization.
Starting in 2018, personal information that included Social Security numbers, addresses, and account numbers was provided by a small group of employees at a Florida location of the Cincinnati-based bank. Fifth Third has since terminated the individuals and is cooperating with authorities to ensure that justice is served on all accounts, but it brings up yet another factor in the ongoing battle against the breach: how do you protect your businesses from your own employees?
In short, you cannot avoid it entirely. You have to have trust in your employees as human beings, otherwise, you wouldn’t have hired them. But you can help ensure that you have safeguards in place that will protect your employees well as your business. This means that it is critical to establish a set of standards that ensures there is a process to provide checks and balances against any possible wrongdoing.
How to Prepare
While there’s not much you can do in regards to the betrayal of one or multiple employees, you can prepare for how to respond to any threats if and when they do occur – that includes both insider and outsider threats. Remember to discuss procedures and policies openly and consider setting up an anonymous reporting system that allows potential behavior to be reported and investigated before it becomes a bigger issue. A zero-tolerance policy is also important. Conduct regular ongoing reviews to discuss the threat of participating in or ignoring behaviors that could bring down an entire business. Many businesses don’t survive a breach. Employees may be more likely to report a colleague if they understand that it could cost them their job as well.
Have a Plan in Place?
Having a solid cybersecurity program in place is critical. That plan should include technical protections, security awareness training, policies and procedures, breach response plans, and more. This is where the benefit of having cyber insurance is critical.
Every day, the tactics and threats evolve that we must guard against in the fight versus cybercriminals. Overlooking the people “in our own house” must not be ignored in those considerations.