Black Friday Sale! 50% Off All Access

A Facebook Engineer Stalked Female Users. A Dentist's Receptionist Stole Patients' Identities. Here's How to Prevent These Things From Happening at Your Company. Malicious insiders are the most dangerous security risk of all.

By Larry Johnson Edited by Dan Bova

Entrepreneur+ Black Friday Sale

Our biggest sale — Get unlimited access to Entrepreneur.com at an unbeatable price. Use code SAVE50 at checkout.*

Claim Offer

*Offer only available to new subscribers

Opinions expressed by Entrepreneur contributors are their own.

Focus Stock Fotografico | Getty Images

A major risk to businesses is one that they often overlook -- rogue employees, also known as the "insider threat."

Related: No One Is Safe From the Data Breach Epidemic (Infographic)

While many companies today are devoting more resources to preventing hackers from stealing sensitive information, rogue employees can pose a far more serious risk because they have inside access to company secrets, clients and technologies, and they are often not sufficiently monitored. According to the Ponemon Institute, the cost of an insider-related incident is actually higher than a data breach caused by an outside hacker - $4.3 million per incident versus $3.62 million, respectively, and these costs could exceed $8 million over a 12-month period.

Insider threats are also on the rise. A 2018 report by the Ponemon Institute found that malicious insider incidents have grown by 56 percent since 2016.

A quick scan of the news on any given week will show how prevalent these cases are. For instance, in a recent case at Facebook, a security engineer was accused of abusing his privileged access to stalk women online. In January, a Chinese company was found guilty of using an AMSC employee to steal $800 million worth of intellectual property from that company. In April, a former Manhattan dental office receptionist was convicted of stealing the identities of over 650 patients. And the list goes on and on.

Related: Passwords Are Scarily Insecure. Here Are a Few Safer Alternatives.

Yet, in spite of the risks, many companies remain unprepared. Nearly one-third of companies admit they have no ability to prevent or deter an insider attack, and only 9 percent consider their insider prevention measures to be effective, according to a 2015 study by the SANS Institute.

Preventing this type of abuse isn't easy, but it can be done.

Here are four ways to manage the risk posed by trusted insiders.

Access controls

The key to reducing a company's exposure to insider threats is by creating strong "access controls" that prevent how much data a single employee is able to freely access in the first place.

No single employee should have unfettered access to all of the company's secrets -- rather, sensitive data should be siloed, and employee access should be decided on a case by case basis, determined by the employee's need to access such data in order to fulfill her duties. For example, a sales manager does not need access to the company's intellectual property, and an IT administrator does not need access to the company's client roster. The separate roles within a company should also be separated by the level of data access they have.

Related: Making Your Data Unreadable to Whoever Steals It Might Be the Only Way to Keep It Safe

Technical controls

In addition to establishing policy controls on data access, a company should also have in place strong technical controls that prevent over-access or abuse by insiders.

These controls should include: encrypting highly sensitive data, so that only specific people can access it; blocking or restricting certain types of tools and websites from employee devices, such as Tor, file transfer protocol (FTP) services, etc.; restricting the use of remote logins to the company's network; resetting passwords immediately for any terminated employee; and requiring regular password resets for all employee accounts in order to reduce the likelihood of learned or shared passwords.

Mobile device management

This is another crucial step, particularly in today's highly mobile and bring-your-own-device business world. A mobile device management (MDM) service enables a company to monitor the content on both company-owned and personally owned devices, as well as to containerize company data and allow for remote wiping if needed.

Related: Why This Cybersecurity Expert Wants You to Rethink What You Keep Secret

Monitoring

There are many different tools available for keeping an eye on employees, ranging from all-inclusive Big Brother-style technologies that monitor all employee activity on devices (such as email, social media, web browsing, etc.) to more focused tools like exfiltration monitoring, which only look for files being transmitted from the company network to a remote IP address.

However, it's important for companies to not be too heavy-handed with employee monitoring, or it could backfire. If employees feel they aren't trusted or valued by the company, they could act out -- the exact thing the company is trying to avoid in the first place.

It is best to take a more moderate approach with monitoring, by focusing on what really matters. Exfiltration monitoring, file access monitoring (who is accessing important files, and when and where) and email monitoring are three good steps to take.

Related: What You Need to Know About Multifactor Authentication

While there is no way to completely eliminate the insider threat, by taking a few key steps, companies can drastically lower their risk and keep employees in check. For more on this issue, see the FBI's tip sheet on averting the insider threat.

Larry Johnson

Chief Strategy Officer at CyberSponse

Larry Johnson is chief strategy officer of CyberSponse, a Washington, D.C.-based cyber incident response company serving Fortune 500s and government agencies. He is a 24-year veteran of the Secret Service, where he served as a high ranking supervisor at the Presidential Protection Division as well as special-agent-in-charge of its Criminal Investigative Division. He is also a former chief security officer (CSO) at a Fortune 250 company and a recipient of the International Association of Credit Card Investigators' Police Officer of the Year award and the 9-11 President's Distinguished Service Award.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Science & Technology

I've Spent 20 Years Studying Focus. Here's How I Use AI to Multiply My Time and Save 21 Weeks of Work a Year

AI is supposed to save time, but 77% of employees say it often costs more time due to all the editing it requires. Instead of helping, it can become a distraction. But don't worry — there's a better way.

Business News

The Two Richest People in the World Are Fighting on Social Media Again

Jeff Bezos and Elon Musk had a new, contentious exchange on X.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Business News

Barbara Corcoran Says This Is the Interest Rate Magic Number That Will Make the Market 'Go Ballistic'

Corcoran said she praying for lower interest rates and people are "tired of waiting."

Money & Finance

Why Donald Trump's Business-First Policies Trump Harris' Consumer-Centric Approach

President Donald Trump's pro-business agenda is packed with policy moves encouraging investment to drive economic growth. The next Congress has a unique opportunity to support entrepreneurship and innovation, improving U.S. competitiveness with the rest of the world.

Starting a Business

Why Are So Many Course Creators Struggling if It's 'Such an Easy Business'? Here's the Truth Behind the $800 Billion Industry

Creating an online course is so easy — at least, that's what many "gurus" would like you to believe. There's a lot of potential in the $800 billion industry, but here's why so many course creators are struggling.