When it comes to enterprise data, it’s employees that create some of the biggest risks, yet they still hold a considerable amount of trust from senior cybersecurity and business leaders. That’s the dislocated findings from the 2019 Global Data Exposure Report, conducted by Forrester Consulting and commissioned by data loss protection software maker Code42.
The study showed that employees tend to take more risks with data than employers think, which leaves organizations open to insider threat. Key findings included that enterprises still haven’t established company-wide file sharing and collaboration platforms, instead they are using consumer-grade platforms such as Twitter, Facebook, LinkedIn, WhatsApp as well as personal email to send files and collaborate with their colleagues.
All of this points to widespread staff disregard for security policy as employees decide to use whatever applications and services they needed for their work. And in this survey, 77% of the security leaders questioned agreed that just this activity is the most significant risk to an organization.
When data is treated this way, shipped beyond the reach and the observability of security teams, enterprises lose control of their intellectual property. Once data is on a staffer’s cloud storage account, not only is there no way to control the data, there’s not even a way to know where the data goes from there. Still, even a sizable percentage of business decision-makers use social media (31%) and 43% use their personal email to collaborate and share the organization’s data.
Other studies have shown the insider threat to be considerable. Last year Luana Pascu wrote how in the year prior to the post, 159 organizations from the United States, Canada, Europe, Middle East, Africa, and the Asia-Pacific region dealt with 3,269 security breaches caused by insider threats due to plain negligence. Then, the average cost of an incident has increased to $8.76 million, according to the study. The most expensive incidents were reported in the finance sector, at an average of $12.05 million, followed by energy and utilities ($10.23 million), and industrial and manufacturing ($8.8 million).
Another area of high risk is when employees have decided to leave an organization. This study found that a sizable percentage of employees today believe that the work product they generate on the job belongs to them. That’s probably not a surprise to anyone. But what is surprising is that the survey found that 72% of information security leaders believe that it’s not just their employer’s data, that it’s their work and their ideas.
If staff are taking data with it, it’ll probably come as no surprise that just shy of two-thirds of respondents (63%) said that they brought data to their current job from a previous employer.
Earlier this year, Filip Truta covered, in Insider Threat Detection a Serious Problem for U.S. Businesses, that, based on a survey of just over 600 enterprises, found that organizations don’t understand the insider risk threat. That survey found that respondents are underprepared for insider attacks and that they lack the ability to identify and respond to these attacks.
“A key finding is that the ability to detect “stealth” attackers is lower than it should be. Only 42 percent of respondents say their IT security team is doing a good job at detecting whether a staffer is acting maliciously. When it comes to identifying abnormal activity and resource usage, the team’s effectiveness is lower, according to 38 percent of respondents,” Truta wrote.
Detection remains poor for a large amount of organizations. While over of respondents did say that they have reduced dwell time, 44% didn’t or don’t know if they did (they didn’t).
Despite the risks insiders pose, a surprising 79% of information security leaders said that they view employees as an effective defense against data breaches.
Surely, it’s not just the staff and the security and business managers who pose data risks due to bad judgement. According to the survey 78% of CSOs and 65% of CEOs admitted to clicking on a link they should not have.
No wonder the threats from staff insiders remain so high: those cybersecurity and business leaders who should know better and set the example fail to do so. Nothing is going to change until they do.