FINAL WORD
“
C-LEVEL EXECUTIVES
SHOULD ALSO RECOGNISE THE
DIVERSE PERSONALITY TYPES THAT
PRESENT VARYING RISKS.
with malicious intent have every tool they
need at their disposal.
We ask our workforce to do more, share more
and make snap judgements about data
sensitivity, appropriate protection and the
authenticity of email correspondents, all at
the relentless pace of competitive business.
This is set against a backdrop of punitive
data protection regulations. This is a new
environment where data is on the front line
and risk has increased disproportionately.
This shift means the way we understand and
manage insider risk needs to change too. We
must view it in the context of the modern
workplace and data security landscape and
ask: are our expectations of employees’
ability to keep data safe in this environment
realistic? Are we adequately supporting the
human layer of security?
Concern: IT leaders are viewing a
new type of risk through an old lens
Evidence from our recent Egress Global
Insider Breach Survey indicates IT leaders
are struggling to adapt how they view and
manage insider risk in this new landscape.
The research asked 500 IT leaders and 5,000
employees about causes, frequency and
impacts of internal security breach incidents
and views about data risk and ownership.
It highlighted discrepancies between IT
leaders’ perceptions of insider breach risk
and how they are managing it.
A staggering 97% of IT leaders are
concerned about this risk. A total of 78%
believed employees had leaked data
accidentally in the past 12 months and
three-quarters believed they had done so
intentionally. Looking ahead, 36% said it
was likely employees would put data at risk
in the coming year.
Despite this concern, when asked what
security tools they have in place to mitigate
insider breaches, just half of IT leaders said
76
INTELLIGENTCIO
they are using antivirus software to combat
phishing attacks, 48% are using email
encryption to protect data and 47% provide
secure collaboration tools.
IT leaders appear resigned to a degree
of inevitability when it comes to insider
breaches, acknowledging the sustained
risk but not adopting new strategies or
technologies to mitigate them. They’re
viewing a new risk through an old lens by
continuing to focus on static prevention
strategies aimed at securing the devices and
network layers, rather than addressing the
human layer where mistakes are actually
made. Effectively, they are adopting a risk
posture in which employees putting data at
risk is deemed acceptable. From a board-
level perspective, this must be cause for
serious concern.
Components: Analysing the
human layer
Employees offer considerable insight into
insider breach risk. Our research found 27%
said they or a colleague had accidentally
leaked data in the past year and 29% had
deliberately breached company policy when
sharing data.
The effect of the mobile, always-on culture
was reflected in reasons employees gave for
accidental data leaks. A total of 23% said
they had done so because they were using a
mobile device and the same percentage said
they were under pressure when they made
the error. One in five cited tiredness as the
cause of their mistake. The ever-growing risk
from phishing emails was a factor in 41%
of accidental data breaches, while 31%
admitted accidentally sending data to the
wrong person. These figures are needlessly
high given the availability of security tools
that use contextual Machine Learning to
prevent misdirected emails, stop the wrong
attachments being attached, alert users to
phishing emails and help employees use
encryption tools correctly.
Reasons given for deliberate breaches
reflect everyday frustrations and ethical
frailty in the workforce. A quarter took a risk
and shared data against company policy
because they didn’t have the right tools to
share it safely, while 46% took company
data with them when they went to a new
job. These responses show employees are
not being supported to share data safely
and that a significant percentage should be
monitored more closely based on breach risk.
C-level executives should also recognise
the diverse personality types that present
varying risks. Our research showed that, on
average, more senior employees are more
likely to intentionally breach data sharing
rules. A total of 78% of director-level
employees said they had done so in the past
year, compared with 10% of clerical workers.
In contrast, 44% of clerical staff have
misdirected an email, while only 20% of
directors admitted to making this mistake.
Another aspect affecting insider risk is
employees’ attitudes to data ownership. Our
research found only 41% understand that
data belongs exclusively to the business.
Others felt it belonged to departments,
teams or individuals that had worked on it.
This proprietary view explains employees’
tendency to take data with them to new jobs
or take risks when sharing data.
Again, this points to the need to support
and manage the human layer of data
security. In a pressurised, connected
workplace, it’s not realistic to expect that
employees will get things right every time,
or that they will always act honourably
in accordance with company policy. At
Egress we understand this and we have
developed contextual Machine Learning
tools that provide a safety net for users to
prevent breaches, protect data and ensure
regulatory compliance against the new
generation of human-activated breaches –
without compromising productivity.
Gaining a better understanding of insider
breach risk means executives must recognise
how it has evolved; understand how
employees view data ownership and the
different personalities in the workforce that
put data at risk; and ultimately ensure IT
leaders are deploying solutions that mitigate
today’s risks, not those of the past. n
www.intelligentcio.com