Paranoid or Rightfully Concerned? 61% of CISOs Think Staff Leak Data Intentionally

It has long been accepted as truth that staff, an organization’s first and last line of defense, is the vulnerability that malicious actors most take advantage of to steal data or deploy malware. But newer studies show an increase in malicious insiders, and one survey indicates that most IT security leaders believe this to be the case in their organization.

Insider threats – whether malicious insiders or negligent staff – keep IT departments up at night. Recent studies show employees are increasingly targeted by phishing campaigns and ransomware operators. At the same time, most employees remain ill-equipped to spot outside threats, and don’t realize they are engaging in risky practices while handling corporate data. The combination makes insider threats a very real concern among IT leaders in present times.

New research from Egress reveals a major disconnect between IT leaders and employees in their understanding of data ownership and what is appropriate behavior when sharing information. Experts believe this to be a reason for the rise in data breaches.

According to the report, 79% of IT leaders believe employees have put sensitive company data at risk in the last 12 months, and 61% believe it was done deliberately, with ill intent. That’s about the same number as those security chiefs who believe a breach is imminent (as a result of this behavior) in the next 12 months.

Asked about their conduct handling corporate data, staff were reluctant to say they were doing anything wrong. Just over 90% say they haven’t broken company policy when sharing information, either accidentally nor intentionally. Of those who admitted breaking company rules, 55% defended their actions by saying they lacked the tools necessary to share sensitive data securely. Other excuses include: “I was using a mobile device” (19%); “I didn’t have adequate training” (21%); “I was tired” (29%); “I was stressed” (30%), and the list goes on.

The report also reveals that a considerable proportion of employees believe the data they collect, manage and distribute belongs to them personally, or at the very least to their department, so they work under the misconception that they can choose how and with whom it is shared. Younger employees were less likely than their older peers to agree that the organization is the exclusive owner of company data.

Overall, this finding may shed light on why IT leaders think employees are putting data at risk more than employees think they do: employees do not view company data ownership from the same perspective as IT leaders -- they simply don’t see the associated risks. They may not even believe they have done anything wrong in sharing data insecurely, according to the report.

Researchers believe these findings highlight that user education about data ownership must be made clear through policies, HR contracts and training around protecting intellectual property.