A vast majority of companies are struggling with data losses from insider events despite having dedicated insider risk management (IRM) programs in place, according to a data exposure report commissioned by Code 42.
The study conducted by Vanson Bourne, an independent research firm for technology companies, interviewed 700 cybersecurity professionals, managers, and leaders in the US between January and February.
“Insider incidents are growing and it’s not surprising as we have settled into a hybrid-work arrangement,” said Joe Payne, president and CEO of Code42. “Everything being digitised these days, irrespective of the business you are in, makes for a very easy passage of data by simply clicking through desktops, either intentionally or accidentally.”
The study revealed an average 32% year-on-year increase in data losses from insider incidents, costing each organisation about $16 million per incident. Insider incidents include data exposure, losses, leaks, and thefts originating internally from an existing employee of an organisation.
Insider risks are the most difficult to manage
More than 82% of CISOs admitted being concerned about the insider risk problem in their organisations and the data loss associated with it.
“Employees, partners, and contractors all are provided with access at various levels with different degrees of sensitivity, but the behaviours of the users are not actively monitored,” said Paul Furtado, an analyst at Gartner. “IT security spends are mostly focused on external threats and securing the perimeter from bad actors. Trusted, internal users don’t always have the same level of preventative data protection controls in place and violations often are only discovered once something has occurred.”
Detecting a data loss from an insider event presented even greater challenges as 75% CISOs said they failed at doing so in their companies.
“Insider risk is pervasive across all industries and can span a wide range of potential impact from brief downtime to total loss of data,” said Jimmy Mesta, co-founder & chief technology officer at KSOC, a real-time Kubernetes monitoring company. “Increasing complexity within corporate IT infrastructure and cloud adoption have made insider risk nearly impossible to detect in some circumstances. Insider risk isn’t always intentionally malicious, which can make detections extremely challenging.”
For an instance, a command line change targeting a public cloud account can open up a host of private databases to the internet without triggering a suspicious event log, Mista said.
CISOs ranked insider risks (27%) as the most difficult threat to detect, placing it above cloud data exposures (26%) and malware/ransomware (22%).
Various factors leading to failed IRMs
Among 72% of participants having a dedicated IRM program in place, a massive 71% still believe they could experience insider incidents in the next 12 months. More importantly, 79% of CISOs said they could lose their job from an unaddressed insider breach.
The technologies used in these programs include some combination of IRM (97%), user and entity behaviour analytics / User Activity Monitoring (97%), enterprise data loss prevention (97%), security awareness training/education (96%) and cloud access security broker (96%).
One of the reasons contributing to IRM failure is the lack of training. While a vast majority (93%) of CISOs believed the new hybrid work culture has pushed the need for security training in their company, about four out of five (79%) of them admitted the leadership team isn’t placing enough attention on data loss from insiders.
Also, the companies conducting monthly security training dropped from 32% to 27% year-over-year, with data indicating that most organisations are pushing for weekly data security training.
Incidents have grown further on account of the present technologies and programs failing to detect and prevent accidental (as opposed to malicious or negligent) actions. Most of the respondents regarded “accidental” to be the most concerning insider event type as they cited a lack of employee training for behaving in a safe and secure way as a cause for it.
“These threats (accidental incidents) typically come from a lack of “least privilege” access as well as missing detection and logging techniques,” Mesta said. “Cloud misconfiguration tops the charts year after year when it comes to the most frequent security challenge as we are now dealing with the protection of APIs in the cloud that are vast and often misunderstood. Over-permission and lack of guardrails will continue to be the main source of insider risk for years to come.”
More often than not, the insiders (employees) are just attempting to make their job easier by exporting data in non-approved ways or sharing it with the wrong individuals or people who do not have the requisite permission to view the data. A lot of times they don’t even know they are doing something wrong, Furtado said.
Insufficient budgets also emerged as a contributing factor as 69% spoke about a budget expansion plan for the next year.