Insider threats should remain a real concern for businesses as criminals look for ‘easy access’, says AJ Thompson, CCO at the IT consultancy Northdoor.
The threat of employees accidentally giving cyber criminals access to sensitive data remains a real problem for organisations. For years the old adage of employees remaining your weakest link has remained true and a recent report from the Ponemon Institute has backed this up.
The 2020 Global Encryption Trends Study has shown that 54 percent of respondents identified employee mistakes as the top threat to sensitive data, by far the biggest threat with system or process malfunction (31 percent) and hackers (29 percent) following someway behind. The fact that employees remains the biggest threat is a real issue. It means that employees have not fully embraced or learnt to take security practices seriously, organisations have not effectively communicated the importance or cyber criminals have continued to enhance their weapons to gain access. It is of course a mixture of all of these things, but organisations have to find ways to better protect sensitive data from this threat. The stakes have never been higher.
The cost of the ‘Insider Threat’ and data exposure
The importance of protecting data is now so high profile, any loss of data is a national story. The public, politicians and regulators now have such a good understanding of the value of data that every company holding data is under huge scrutiny.
The financial cost is bad enough. Again, the Ponemon Institute in its 2018 Cost of Insider Threats study showed that the average cost of an insider-related incident is around $513,000, with insider-related incidents costing companies up to $8.76 million a year. It is not just a financial concern though. The introduction of regulations such as GDPR has thrown data into the spotlight like never before. The public and particularly the media now have a full understanding of its value and the importance of securing it. Therefore, any breach makes front page headlines, causing huge damage to the company, no matter how the data was exposed.
Communicating the threat
Communicating the importance of data and securing it has to be high on an organisation’s agenda, alongside finding technological solutions to combat it. The key is how you communicate. Bringing employees along the journey of implementing new technology and highlighting the importance of following security policies is crucial. The amount of resource implemented to combat the threat of malicious outsider threats become a waste of time if your employees are leaving the door open anyway. Buy-in is crucial. Part of gaining this buy-in is industrialising the process of data protection. Taking away the emphasis on individuals and manual processes and automating data collection and protection is a crucial step to secure employee buy-in.
By emphasising the importance of sticking to security guidelines and being aware of the latest threats and the methods that criminals are using to infiltrate infrastructure, as well as bringing them on the journey of implementing new technology, ensures that employees are more aware of doing the right thing at the right time.
The impact of the coronavirus is likely to impact the nature of the accidental insider threat. The fact that individual mistakes were happening inside the corporate environment where security was heightened and the IT/security teams could keep a closer eye on activity, means that in the new reality we are all living in, where more people than ever are working at home, and are likely to continue to do so, the threat is greater than ever. Insecure broadband connections, a more relaxed attitude to security practices with individuals more tempted to open links and emails that they might not have in the office, and away from the eyes of the IT department and yet still connected to the corporate infrastructure, all means that this is a vulnerable moment for many companies.
It is this accidental insider threat that is so difficult to deal with, especially away from the corporate environment. With the working from home trend very likely to remain after the threat from COVID-19 fades away, companies have to work out better security practices that incorporate the challenges working from home bring.
Again, automating the process of data protection will help with this the working from home trend, but securing buy-in from employees remains critical.
Don’t just tick the regulatory boxes, be secure
The regulatory landscape around data is an increasingly complex one. The introduction of GDPR is a great example of where regulations are being introduced to combat the threat of data breaches. It is also a good example of how companies are rushing to ensure that they adhere to such regulations. The sheer panic caused by GDPR with companies rushing to tick the boxes of adherence was there for all to see. However, companies should not be thinking “are we compliant” but rather, “are we secure’. There is a difference, regulations cannot be introduced at the speed criminals can implement new, sophisticated technology to gain access. By being compliant you are only as secure as the threat was at the time the regulations were drawn up; it is likely the criminal is already two or three steps ahead.
Being proactive and ensuring best practice security measures are introduced, over and above the regulatory requirements, means that the threat of the accidental insider actions are somewhat nulled, whilst preparing organisations for future regulations. We are living through unprecedented times, but as we have seen this seems to act as an incentive for cyber criminals to up their activity. This, alongside, more employees than ever working at home, away from corporate environments, means companies have to be on the front foot. Being proactive in their approach, ensuring that employees are fully brought in, whilst industrialising data processes and security will be crucial over the coming months.
