beebright - stock.adobe.com
Friction between management and employees exacerbates insider threat
Research revealing disparity between workers’ and bosses’ views on data security could shed more light on insider threat
In recent years, we’ve seen some of the biggest companies in the world fall victim to data breaches.
But with much of the discussion being focused, to date, on how leaks occur, very few people seem to have stopped to ask why.
According to Verizon’s 2018 Data breach investigations report, 28% of data leaks involve employees or insiders of some kind. In some markets, that figure is much higher, such as in healthcare, where the threat from inside is even greater than that from outside the organisation.
We know human error is a major contributor to these numbers. But why do such costly mistakes happen, repeatedly, when employees handle data? What are business leaders missing?
Are CIOs and CISOs so preoccupied with dealing with the threat of outside cyber attacks that they aren’t paying attention to how potentially disastrous mistakes – or even malicious actions – are happening on their own doorstep?
The gulf between employees and IT leaders
Questioning both IT leaders and employees on the intent behind insider breaches, the Egress Insider data breach survey 2019 has uncovered a huge disparity between the two groups, illustrated by a lack of trust displayed by executives towards their employees.
For example, 79% of IT leaders believe employees have put sensitive company data at risk accidentally in the past 12 months, but 92% of employees countered this by saying they haven’t accidentally broken company policy when sharing information.
In addition, 61% of IT leaders think employees have put sensitive company data at risk maliciously in the past 12 months, but 91% denied intentionally breaking company policy.
This chasm, combined with the rapid growth in unstructured data and the ways in which employees can now share data, has the potential to derail an organisation’s security programme.
When asked to name the top three causes for insider breaches, IT leaders put rushing and making mistakes at number one (60%), followed by a general lack of awareness (44%) and lack of training on the company’s security tools (36%).
From an employee perspective, out of those who had accidentally shared data, almost half (48%) agreed they had been rushing, but 30% blamed a high-pressure working environment and 29% said it happened because they were tired.
The most frequently cited employee error was accidentally sending data to the wrong person (45%), while 27% had been caught out by phishing emails. More worryingly, more than a third of employees (35%) were simply unaware that information should not be shared, pointing to an urgent need for effective employee education around responsibilities for data protection.
It is also worth pointing out that 55% of employees that intentionally shared data against company rules said their organisation didn’t provide them with the tools needed to share sensitive information securely.
This implies that, while IT leaders seem to have low expectations of their employees when it comes to putting data at risk, they are failing to effectively provide the tools and training needed to prevent a data breach from happening in the first place.
What should organisations do now?
So, how can organisations bridge the divide between employer and employee when it comes to data security? The answer lies in a combination of technology, workplace culture and training.
The answer is not for the IT department to curb “reckless employee behaviour” by placing restrictions on how they handle data. This can have a negative effect on employee productivity, and any restrictions may be circumvented altogether if the user finds they are hindering their work.
Organisations should already know they need to implement security solutions that are easy for employees to work with. It is also important to provide them with the right technology to do their jobs effectively, so they don’t feel they need to turn to non-sanctioned solutions such as file-sharing platforms, for example.
Employees need to be able to rely on the security solutions in place; they should act as a safety net – being able to detect when someone is about to accidentally cause a data breach and preventing this from happening in the first place.
Should IT or the organisation ever try to remove these tools, there should be general outcry from employees (much like if you tried to remove email today) – and if there isn’t, it’s clear these tools aren’t providing enough benefit.
Similarly, employees must understand data ownership – 29% think they have individual ownership over company data, and 60% don’t think their employer has exclusive ownership over it – so it is essential to effectively communicate company policies, as well as those put in place by data privacy regulations such as the General Data Protection Regulation (GDPR).
But addressing the initial “why” behind a breach is just as important as any other solution. Management needs to address why employees are tired or rushing due to the pressure of the job, and consequently making mistakes.
They can then implement changes to reduce these contributing factors and, in turn, lessen the risk of data loss. It is also important that an organisational “blame culture” doesn’t drive employees to hide any unintentional breaches.
Similarly, there needs to be better interaction between CISOs and the rest of the C-suite, so they can describe the insider threat in a way that’s quick and easy to understand.
While “employee trust” should not be used as a foundation for security, IT leaders must work to address and resolve any underlying workplace or behavioural issues. Alongside enforcing data policies and implementing security tools, this will lessen their chance of becoming the next victim of a data breach.
Read more about insider threat
- Whether via the spread of malware, spyware or viruses, insiders can do as much damage as outside attackers. Here’s how to prevent computer security threats from insiders.
- Insider threats pose a serious risk to enterprises. Peter Sullivan explains how enterprises can use background checks and risk assessments for insider threat protection.