How would your dispensary handle it if your top salesperson or store manager left to work for a competitor? How would your distribution company recover if your competitors started picking off your suppliers, guided by a former employee? How do you protect your intellectual property, including recipes, manufacturing methods, or cultivation practices, from walking out of the door?
External attacks and exotic breaches rule the headlines, but 80% of cybersecurity incidents involve an internal resource, working knowingly or unknowingly, for an adversary. The fact of the matter is that your core financial, customer, and sales data is attractive to your competitors in addition to hackers. Last week, we discussed how to protect yourself from phishing attacks.
It takes approximately 3 impressions to make a marketing message stick. For a quick recap (by my count, Impression #2), phishing attacks rely on someone in your organization to open the message and take an action, often by tricking them into opening an attachment, entering their password into a bogus website, or downloading a browser extension or Microsoft Office macro.
Mistakes happen, but the following actions help prevent approximately 90% of phishing attacks from being effective:
- Teach employees how to recognize phishing messages or a possible attack.
- Define clear support and reporting channels for help.
- Updating and maintaining your devices, browsers, and computers.
This week, we focus on minimizing your losses in the event of intentional employee data theft. One of our clients ran supply and distribution for suppliers and dispensaries in California. The business team spent most of their time cultivating relationships, negotiating agreements, and ensuring a steady connection between supply and demand. Aging product, stuck in quarantine or on the shelf, was bad. Knowing what was selling and preventing stock outs was good. The women and men on the supplier management team were (and are) passionate about the cannabis industry and their clients.
At the same client, we quickly realized that an enterprise version of QuickBooks had over 35 active users with full access spread across two countries and four management functions. When questioned, the rationale was that users needed information available in the application to effectively do their job.
While some employees and contractors did need access to sensitive financial data, many others just simply needed basic account information or standard reports, e.g., daily sales, open orders, current inventory. Similarly, the number of users for Salesforce was comparable, with many users simply needing names and phone numbers of a few accounts, but Salesforce was managed in a way that let everyone see everything.
Statistically, the more people that have access to sensitive information, the higher the chance that sensitive information will be leaked or compromised. We were able to guide that client towards a more roles-based system which allowed users to access the information they needed without the potential for sensitive data to be compromised.
Part of these changes involved creating clear roles and responsibilities. Implementing and adopting to clear roles and responsibilities, including levels of access and training on core IT systems, drove some people to leave the company.
Managed attrition is planned and coordinated as poor performers are encouraged to leave. The technology team was informed of these changes and kept a close eye on employee activity to prevent theft or data loss.
Unmanaged attrition takes the organization by surprise. These employees self-select to leave, sometimes with little to no notice. These situations often created a scramble to understand what information they had taken outside of the organization, whether or not their devices were secure, and if the organization had any legal or technical recourse.
Managed or unmanaged, your data loss prevention strategy and solution needs to cover employees that leave (or leave their devices laying around). Approximately 30% of employees have lost a work device. If you include personal devices used for work purposes, 30% of workers are underreporting the number of lost devices storing critical business information.
Here is your to do list:
1 – Restrict your global policy settings, including sharing, email forwarding, and security.
- What good reason would an employee have for forwarding work email to a personal address?
2 – Manage remote access and device storage for all laptops and mobile devices.
- Would you allow a contractor to access your financials from the same machine that their kids use to play Fortnite?
3 – Manage application access. Restrict access to systems and information by role and level.
- Would you allow a new salesperson to access the status of all of our strategic accounts?
Our next few blog topics will dig into these subjects in more detail, breaking down how to secure your people, processes, and technology. Remember that in parallel to changing how you manage access and devices, you need to communicate with your employees and team members proactively and clearly. These actions will secure your business, which is especially good for your employees.