Despite years of warnings about the risk of insider cyber threats, the number of incidents and the associated costs has risen sharply over the last two years. The burden of responsibility for data protection is not being shared across organisations, with senior employees often found to be the most irresponsible. A cultural shift is required if companies are to get on top of the insider threat.
Insider threats are threats to a company – either accidental or deliberate – that emanate from an organisation’s own employees. The threat could come from a disgruntled worker overlooked for promotion, an employee stealing data before taking a new job, or a negligent or careless employee or contractor.
Insider threats on the increase
This type of threat is becoming more common. According to security researcher The Ponemon Institute, the number of insider-caused cybersecurity incidents has increased by 47% in the last two years, with the average annual cost increasing by 31% over the same period to $11.45m. With regulators applying more scrutiny as a result of the General Data Protection Regulation (GDPR) and starting to hand out significant fines, costs can be expected to rise.
Email security vendor Egress’s Insider Data Breach Survey found that 97% of IT leaders believe insider breach risks are a significant concern. About three-quarters of IT leaders think employees have put data at risk accidentally in the past 12 months, and 75% believe employees have put data at risk intentionally. This situation is unlikely to change without a cultural shift.
Trouble starts at the top
The Egress survey revealed that it is those in senior roles that are the most blasé with their data security and were most likely to leak data. More than three-quarters of directors surveyed had intentionally shared data against company policy, and 68% had taken data to a new job. What is needed is a change in the corporate environment, and this starts at the top. The carelessness exhibited by senior members of the organisation sends entirely the wrong message about data protection to employees.
The survey also found that 59% of IT leaders are now relying on employees to report their own or their colleague’s accidental data breaches. If these processes are to work, employees must take greater responsibility for data security and feel they are part of a company-wide effort.
In too many organisations, it is unclear who is responsible for data protection. Only 37% of employees felt everyone had equal responsibility for data protection, and just 8% of directors considered data protection to be a shared responsibility.
A responsible approach to data protection must come right from the top of an organisation if it is to create an inclusive environment that encourages employees to report data breaches without fear for their future careers.