Insiders with trusted access to systems and data are jeopardising enterprise information security policies and perimeters with their risky behaviour, a recent data security survey shows.
Data security company Code42, which specialises in data loss protection, visibility and recovery solutions, this year surveyed nearly 1,700 security, IT and business leaders from the U.S., U.K. and Germany on attitudes relating to data loss and recovery. Respondents included CEOs, CIOs, CTOs, CISOs and others with budget decision-making authority.
The results, summarised in the Data Exposure Report, showed that malicious users are not the only insider threat to enterprises. Business and technology leaders are also seriously undermining corporate security with data usage practices and attitudes that they often know are risky but persist with anyway.
For instance, 41 percent of the business leaders in Code42’s survey admitted to downloading unapproved software on their devices despite knowing their IT organisation would consider that a security risk. Their reasons for doing so included convenience; use of the software in their personal lives; and improved productivity.
Organisational leaders are putting sensitive data at risk in numerous ways. More than 79 percent of business leaders keep a copy of their work on a laptop or other personal device not directly under the control of the IT department, though many are aware of the risks involved.
A high percentage of those indulging in this sort of behaviour are aware of the value of the business data they are putting at risk. More than 7-in-10 (74 percent) business leaders in Code42’s survey agreed that data was their organisation’s most precious asset. Troublingly enough though, 65 percent of business leaders held the view that the data they create belongs to them personally. Nearly half (49 percent) of business leaders —and a sobering 72 percent of chief executives —admitted to taking IP with them to their next employer.
Data visibility and the unintentional insider threat
Code42’s report reveals that organisations may be underestimating the threat to data security posed by employees. It showed that just 9 percent of IT and security leaders perceive unintentional insider threats as the biggest risk to enterprise data while 15 percent said the same thing of malicious insider threats. In comparison, a recent McKinsey & Company article noted that a far greater portion – 50 percent – of breaches had a substantial insider component.
In recent years, threat actors have switched from attacking the network to targeting users as well, particularly those with elevated access to sensitive data and systems, such as business and technology leaders. Far more data breaches these days result from employees and executives opening malicious attachments or following links to rogue sites than from malware and external hacking.
Code42’s survey suggests that IT and security leaders are acutely aware of insider risks but are somewhat hampered in their ability to detect and stop it. Seventy-eight percent of CISOs consider users who disregard policy as their biggest security threat. More than seven-in-ten CIOs and CISOs recognise the risk posed by their users downloading unapproved software and 80 percent of chief information security officers say they cannot protect what they cannot see.
For many, the task of securing enterprise data against unintentional insider threats is being complicated by the fact that a lot of the data they need to protect exists only on endpoint devices outside of direct IT control. A startling 73 percent of the IT and security leaders in Code42’s survey believed there was data in their company that existed only on endpoint devices rather than in a centralised server or data center.
Enterprise IT security teams are blind to risky user activity in other ways as well. Thirty-six percent of the business leaders in Code42’s survey who admitted to clicking on unsafe links did not report the fact to the IT organisation because among other things, they were afraid of the blowback.
Data visibility and the ability to respond to risky behaviour by users with trusted access have clearly emerged as important requirements for a high percentage of organisations.
Nearly half—45 percent—of IT and security managers perceive the ability to monitor data movement across the enterprise and on endpoint devices as vital to detecting and stopping threats. Fifty-one percent of business leaders believe their organisations would be better able to identify and prioritise risk if they had visibility over corporate data on endpoint devices, on their networks and in the cloud.
Improved security is not the only benefit that IT and security managers expect to gain from better data visibility. Nearly four-in-ten believe it would also improve their ability to comply with current and upcoming data protection regulations.
Let’s face it, even top employees want to get their jobs done the most efficient way possible. Whether maliciously defying security policies or not, insiders remain a significant, costly threat to valuable IP, and security teams must acknowledge and account for this risk in their data protection strategies. Savvy security teams can start by determining if their traditional data loss prevention (DLP) solutions will adequately protect their organisations in the event of a data loss. If not, they should consider taking a new approach to data security, shifting from a prevention to a protection approach – one that monitors the movement of files within and beyond a security perimeter, especially when combating insider threats.
About the Author
Richard Agnew is Vice President, EMEA at Code42. Today’s progressive, employee-focused, idea-rich organizations are looking for new, less restrictive ways to protect their data. Code42 Next-Gen Data Loss Protection is a simpler, quicker way to secure an organization’s endpoint and cloud data from loss, leak, misuse and theft.