Whether acting out of malice or negligence, insider threats pose a significant security risk to all enterprises. Research commissioned by Egress found that 97% of IT leaders say insider breach is a significant concern.
While the dangers posed by insider threats are becoming more widely recognised, not enough organisations are allocating sufficient resources to mitigate the risk. Too many are still just focusing solely on threats coming from outside the organisation.
What exactly is insider threat?
Insider threats in cyber security are risks posed by individuals from within an organisation. This could be current or former employees, contractors and partners. Such individuals have the potential to misuse access to networks and assets to disclose, modify and delete sensitive information.
According to Egress’s ‘Insider Data Breach Survey 2020’ report, 78% of IT leaders think employees have accidentally put data at risk in the past 12 months. Seventy-five percent think employees have put at risk intentionally. Twenty-seven percent of employees say they or a colleague have accidentally shared or leaked company information externally. This is a major change from last year, where only 8% admitted personal responsibility.
Increasingly, headlines have focused on external attacks. However, the risk from employees accidentally or intentionally leaking data is significant and arguably more difficult to confront. Increasing volumes of unstructured data and a wealth of sharing tools make it easier for employees to breach company policy. Taking data to new jobs or downloading to personal systems to work from home, are typical examples of unintentional security breaches.
Dealing with internal data leakages
The challenge for IT leaders is to prevent insider breaches, whether intentional or accidental, while ensuring employees remain productive. Businesses must continue to protect sensitive data, while able to investigate incidents taking place within the organisation.
Egress’s second annual survey looks at the causes, frequency and implications of internal security breach incidents. The report examines the perspective of IT leaders and employers about data risk, responsibility and ownership. The research conducted by Opinion Matters, surveyed more than 500 IT leaders and 5,000 employees in January 2020. Respondents came from the UK, US and Benelux countries.
According to Tony Pepper, Egress CEO, the findings show how IT leaders are resigned to the inevitability of insider breaches. More concerning, they don’t have adequate risk management strategies in place. “While they acknowledge the sustained risk, bizarrely IT leaders have not adopted new strategies or technologies to mitigate the risk. Effectively, they are adopting a risk posture in which at least one-third of employees putting data at risk is deemed acceptable.”
Egress suggests devising an effective data loss prevention strategy that requires organisations to understand what types of data are most vulnerable, and from which type of internal breach.
What data types are most at risk?
Top of the list for both accidental and intentional internal risk is employee data, including personal identifiers and salary information. The next most at risk is company Intellectual Property (IP), although in the Benelux region this was the data of greatest concern. Considering the current regulatory climate, customer data including personal identifiable information (PII) only ranked third.
The reputational damage of insider data breaches cannot be underestimated. Forty-one percent of IT leaders say financial damage – punitive fines and litigation would have the biggest impact following a breach. Interestingly, the concern about the financial impact was highest in the US (43%) and 9% lower in Benelux (34%). There was less concern for other negative impacts such as customer churn or leaked IP.
The report points to an increased level of cynicism among IT leaders. This is an acceptance that employees, trying to get their job done, can intentionally breach company policy and put data at risk. After all, an intentional breach doesn’t always have malicious motivations, but it is still reckless behaviour that puts company data at risk.
Other perceived motivations for intentional breaches are less benign. This includes 18% of IT leaders who believe employees take data with them to new jobs. In contrast, 46% of employees said they or a colleague intentionally breached company policy. For instance, by taking customer or project data to a new company.
Twenty-six percent of these employees intentionally took a risk and shared data against company rules. They suggested the company hadn’t provided the tools needed to share information securely. At the same time, 11% were upset with the company and wanted to cause deliberate harm.
Fixing the problem
The nature of insider threats means that traditional preventative security measures are often ineffective. Incredibly, employee reporting appears to be the key component for most organisation’s breach detection strategy. Interestingly, 59% of IT leaders rely on employee reporting for accidental breaches and 57% on them for intentional breaches.
Breach detection systems were the second most likely way IT leaders say they will be informed about an incident. Thirty-seven percent selecting this for intentional breaches and 35% for accidental.
According to Tony Pepper: “The severe penalties for data breaches mean IT leaders must action better risk management strategies. They must use advanced tools to prevent insider data breaches. They also need better visibility of risk vendors. Relying on employees to report incidents is not an acceptable data protection strategy.”
The changing nature of ‘work’
The nature of work has fundamentally changed in the last 10 years. Employees have become mobile. Organisations are increasingly embracing cloud computing to support business critical infrastructure. Teams of individuals work collaboratively from different locations across the globe.
The shift to flexible working may have a psychological impact too. As employees work outside the physical walls of the company – especially in their home environment. There is a risk that they develop a more proprietary attitude to the data they work on.
At the same time, the world is changing. The implementation of GDPR was in 2018 across the EU. The newly implemented California Consumer Privacy Act (CCPA) brings potential financial penalties even larger than those levied by GDPR regulators.
It’s quite clear from the Egress report that enterprises lack forensic tools and skills to audit and prevent insider threat. Consequently, IT leaders require solutions that can respond dynamically to employees changing behaviours and motivation. One solution is insider breach technologies. These protect corporate emails and enable employees to securely collaborate and share online. In order to stop breaches of security before they happen.
