While data theft and other digital attacks are so widespread, it isn’t as simple as legions of hackers targeting SMBs. Many times, threats can originate from offline sources, whether it be rogue employees, or clandestine physical attacks on company hardware.
In this article, we’re going to talk about some of the common offline threats that businesses face in this digital era, and why physical security training should be incorporated alongside basic cyber security.
Threats from within
There are several ways a company can be attacked from within. Disgruntled employees with a score to settle may attempt to sell company data to third-parties, which happens quite commonly. In fact, a study says that a third of employees will sell company data including patents, customer data, and financial records, if the price is right. 25% of 4,000 surveyed people said they would sell company secrets for £5,000. 3% would sell company secrets for as little as £100, while 35% said they would accept no less than £50,000.
Employee theft has always been a concern for many companies, but this goes far beyond a retail store employee stealing a few pairs of jeans. When the theft is digital and involves company and customer data, it can create huge financial woes for any business trying to repair the damage. Biscom, a security research and development company for the healthcare and financial industries, released a few statistics from their research into data theft by employees. Their findings were:
- 85% of employees admitted to taking company documents and information they had created.
- 30% of employees admitted to taking company documents and information they had not personally created.
- 25% of employees reported taking source code and patent filings.
- 35% of employees took customer data, including names, phone numbers and email addresses.
- 85% admitted to taking company strategy documents and presentations.
But perhaps one of the most important findings from Biscom, was that 90% of respondents said the main reason they stole company data was that the company had no safeguards against it, particularly in startups and SMBs.
Lack of physical security
You can have tremendous cyber security, yet poor physical security for those same company devices. Unlocked server rooms, company laptops left out in the open, sensitive documents not properly filed under lock and key. These are all major security risks. For example, malware can be surreptitiously installed on company computers, providing a backdoor for intruders. This might sound like Mission Impossible stuff, but it’s true, and it happens.
With so much focus on stopping external intrusion on the company network, it’s easy to lose sight of internal intrusion. The HIPAA (Health Insurance Portability and Accounting Act of 1996) for example, while only applicable to companies that handle health information, goes to great lengths in describing physical security for electronic devices, and levies massive fines against companies found to be in violation of HIPAA compliance. It’s an example that should be followed in any other industry.
Many data centers take physical security quite seriously, and physical security training is in fact a requirement for many data center employees. All companies, whether large corporations or SMBs, should consider the same, especially if sensitive company or customer data is handled through networks. You can read more about physical security training on Inspired eLearning’s physical security training page.
Employee negligence
Many data breaches can be traced back to downright employee negligence, whether online or offline. In the offline realm, it can be something as simple as improper disposal of hardware containing sensitive data. An old company computer should not be simply thrown in the dumpster, where it can be retrieved. If a hard drive is not being recycled and kept within the company, it should be completely and totally destroyed physically, with prejudice.
Other employee negligence mishaps can be things like falling for scam and phishing emails, accidentally providing account credentials to cyber-criminals. Cyber-criminals can be really persuasive, and in fact “social engineering” is one of the most popular tactics used by cyber-criminals.
