Insider Threat is beginning to be accepted as one of the most understated problems in cyber security. This is not just about malicious and criminal individuals working to steal, damage and destroy a company but also the arrogant and inept who ignore security guidelines. These two latter groups are far more likely to cause a data breach than the criminal insider.
So how bad is the Insider Threat? To answer that, data security company Egress commissioned the Insider Data Breach survey. It looked at the issue through two lenses; employer and employee. It seems that there is a chasm between the two when it comes to the understanding and acceptance of the problem.
According to Tony Pepper, CEO, Egress: “The results of the survey emphasise a growing disconnect between IT leaders and staff on data security, which ultimately puts everyone at risk. While IT leaders seem to expect employees to put data at risk, they’re not providing the tools and training required to stop the data breach from happening. Technology needs to be part of the solution.
“By implementing security solutions that are easy to use and work within the daily flow of how data is shared, combined with advanced AI that prevents data from being leaked, IT leaders can move from minimising data breaches to stopping them from happening in the first place.”
What did the Insider Data Breach survey uncover?
The survey talked to 505 CIOs and IT leaders spread across the UK and US. It also talked to over 4000 users across the two countries. If shows the stark disconnect between employers and employees.
Accidental breaches of data policy
79% of employers believe employees have accidentally shared data over the last year. They say that 45% sent data to the wrong person by email. This is easily done due to autocomplete in email and the problems of greater collaboration with outsiders.
92% of employees say “no we haven’t”. However, 35% also admitted they didn’t know what information shouldn’t be shared. This demonstrates a lack of training by employers. Given the emphasis on PII and GDPR over the last year and the risks of a breach, creates a major business risk.
60% of the IT leaders believe that an accidental breach will happen in the next year.
Deliberate data breaches
This is much more interesting from both parties. There is a clear admission from both sides that this takes place but not quite on the scale that some organisations think. It is also one of those areas that employees see as a grey area. There is a long standing problem of sales teams taking customer lists and data when they change job. In addition, there have been other reports, backed up by this one, of people thinking that any data they create belongs, to some degree, to them.
What did employers say?
- 61% of employers believe that employees have maliciously leaked data.
- 30% believe the data leaks are designed to harm the company.
- 28% say that this was done for financial gain.
These are strong statements but what is missing is the detail around criminal prosecutions and losses from those incidents.
What was the view from employees?
- 8.4% (341) say they deliberately shared data.
- Of that group, 23% (80) admit to taking it with them to a new job.
- Also in that group 55% (187) say that intentionally sharing data against company rules was due to a lack of tools to allow the data to be shared securely.
Who owns the data?
This has always been an interesting challenge for organisations. Most organisations have a blanket clause in employment contracts saying that anything created by the employee as part of their employment belongs to the company. This is not just data but processes, intellectual property and even patents. Some organisations have a more enlightened view and agree a revenue sharing programme with staff to encourage innovation.
In the survey, 29% of employees believed that they have ownership over the data they have worked on. This is something that companies need to address. It is an increasing problem in the content world where people increasingly share copyright material. In addition, the use of images, music and video footage to create derived works is on the rise.
It is always possible that this 29% of employees are younger employees and see the data they create as derivative. Unfortunately, they need to ensure that they first have the rights to use the underlying data and then the employment contract to retain any new rights.
A more worrying trend is the belief among the C-Suite that they own the rights to processes they create. Ownership means that they can move from company to company and recreate successful businesses. Again, this all depends on the employment contract.
Enterprise Times: What does this mean
The disconnect between employers and employees when it comes to cyber security and data ownership continues to grow. It is hard to see why this is. There is ample information out there for both sides to take responsibility for their actions.
Employees are quick to blame a lack of training when they make mistakes. In some cases they are right but even where training has been completed, mistakes continue to happen. Training is only effective if it is reinforced and the person receiving it is willing to change what they do. Phishing is the most obvious example here. People still click on links without checking them or reading messages properly.
Employers are quick to point the finger at what they perceive as a workforce resistant to change. They claim to make training available but over the last three decades training costs have soared while access to training has decreased. Many employers want employees to self-train. They point to online courses, books and even evening classes. The problem is that training also needs context and that only happens in the workplace.
The malicious and criminal insider threats are only going to be countered by greater awareness of IT staff and technology. Organisations are so busy looking at the external threat that they ignore the internal threat. The rise of User Behaviour Analytics and its role in combating insider threat is important.
Culture also plays its part. Egress says that the next version of this survey will look at more countries and widen the questions. That is important. Many of the statistics need more refinement to understand what is happening.