Have We Become Complacent About The ‘Insider Threat’?

Uploaded on 2023-08-01 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

We’re constantly being warned about the persistent threat to data that comes from people within the organisation. In its latest Data Breach Investigations Report, for instance, Verizon confirms that 74% of breaches involve the human element – which includes social engineering attacks, errors, or misuse.

Findings from Apricorn’s latest research also emphasise the ‘insider threat’ that continues to plague UK enterprises, with clear indications that security leaders simply do not trust their organisation’s employees to keep information safe. Despite this, however, they’re neglecting to take the necessary steps to control the risks.

The security leaders surveyed believe that workers are routinely exposing sensitive data to loss or theft - with 22% saying employees unintentionally putting data at risk had been the main cause of a data breach at their organisation. An alarming 20% cited that employees with malicious intent had been the catalyst for a breach at their company. 

Remote workers specifically had been behind a breach at 26% of organisations, up from 21% in 2022.

Out Of Sight, Out Of Mind?

Almost half of the companies surveyed admitted that their mobile or remote workers had knowingly exposed data to a breach over the last year, a rise from 29% in 2022, while 46% stated that their remote workers “don’t care” about security. 

There appears to be an overall lack of engagement within the workforce around the need to protect the information they create and handle. In some cases this is manifesting as brazen negligence. Perhaps increased familiarity with messages about cybersecurity threats and incidents has led to apathy, or even ‘vigilance fatigue’. It’s also possible that employees who have become used to working away from the office environment have developed a new – overly relaxed – mindset.

In spite of their awareness that ‘insiders’ are not living up to their responsibilities around protecting data, companies don’t appear to be applying the measures necessary to prevent data being compromised. This is particularly the case when it comes to BYOD.

Of those companies that allow employees to use their own IT equipment remotely, only 14% use software to control the systems and data they can access. Nearly a quarter require employees to receive approval to use their own devices, but do not apply any controls, while 17% don’t require approval or apply any controls.

Decentralisation of IT may be behind this apparent ‘loosening of the reins’, as the technology estate moves further away from the organisation, and users – by default – gain greater autonomy over what they do and how. This could be resulting in a potentially dangerous slip in the control that security teams have over the endpoint.

Defuse The Ticking Time Bomb

Three quarters of the respondents to Apricorn’s survey said that, since the EU GDPR came into force five years ago, their organisations had either notified the ICO of a breach or potential breach or been reported by somebody else.

This is hardly the time for companies to be taking a step backwards with regards to the strength of their security controls. UK GDPR is on the horizon, currently working its way through parliament under the guise of the Data Protection and Digital Information Bill. Although we expect a softening of requirements compared with the EU GDPR, the ICO will be no less ready to bare its teeth, and the fallout from fines and reputational damage will be no less painful for the organisations affected.

In its Data Security Incident Trends report, the ICO reveals that 65% of incidents reported in Q4 of 2022 were down to user error, or the incorrect use or configuration of software. Organisations should be investing sufficient time and energy in minimising the potential for human error, and rebuilding a culture that ensures everyone has a security-first mindset, wherever they’re working.

Creating engagement requires ongoing awareness training that is specific and contextual – making sure that employees fully understand the security threats to data and to the organisation, and the likely outcomes in the case of a breach. Corporate security policies may also need a shake-up, especially those that cover the use of employees’ own IT kit. 

Finally, all policies must be enforced through the use of technology. This could involve locking down ports on laptops so they will only accept approved devices, or implementing software that controls access to vital systems and apps.

Mandating the organisation wide automatic encryption of all data will prevent it being compromised, even if a device is lost or stolen, or a disgruntled employee is motivated to cause a breach. 

The ’insider threat’ will always be with us. Human beings will always make mistakes, let their guard down, and behave in ways that leave company data exposed. It’s down to IT and security teams to tighten the reins, put measures in place to control the risk - and enforce them. 

Jon Fielding is Managing Director EMEA at Apricorn                         Image: geralt

You Might Also Read: 

The Top 5 Challenges Of Securing Remote Work:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

« British University Data Breaches Are A Lesson For All
A Database Tracking Maritime Cyber Attacks »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

AtkinsRéalis

AtkinsRéalis

AtkinsRealis is a market-leading design, engineering and project management consultancy operating in fields ranging from infrastructure, through energy and transport to cybersecurity.

Zurich

Zurich

Zurich is a leading multi-line insurer providing a wide range of property and casualty, and life insurance products and services in more than 210 countries and territories.

Cobwebs Technologies

Cobwebs Technologies

Cobwebs Technologies provide web intelligence solutions for Law Enforcement (including cybercrime), Intelligence Agencies and Federal Agencies.

Computer & Communications Industry Association (CCIA)

Computer & Communications Industry Association (CCIA)

CCIA supports efforts to facilitate and streamline information sharing on cyber threats between the private sector and the Federal Government.

First Response

First Response

First Response is a Cyber Incident Response and Digital Forensic Investigation company.

Zivver

Zivver

Zivver is the effortless, secure email platform, powering the next generation of secure communications.

BetaDen

BetaDen

BetaDen provides a revolutionary platform for businesses to develop next-generation technology, such as the internet of things and industry 4.0.

VectorUSA

VectorUSA

VectorUSA is a premier technology solution provider. We design, build and maintain cybersecurity, data center, wireless and managed solutions – transforming business needs into technology solutions.

Ministry of Information and Communications (MIC) - Vietnam

Ministry of Information and Communications (MIC) - Vietnam

The Ministry of Information & Communications of Vietnam is the policy making and regulatory body in the field of information technology and national information and and communication infrastructure.

Sontiq

Sontiq

Sontiq is committed to providing best-in-class, highly scalable, award-winning identity security solutions to consumers, businesses and government agencies.

Noetic Cyber

Noetic Cyber

Noetic provides a proactive approach to cyber asset and controls management, empowering security teams to see, understand, and optimize their cybersecurity posture.

LegalByte

LegalByte

LegalByte is a leading provider of comprehensive legal and forensic services dedicated to addressing the complex challenges of the digital age.

Colt Technology Services

Colt Technology Services

Colt Technology Services (Colt) is a global digital infrastructure company which creates extraordinary connections to help businesses succeed.

Runecast Solutions

Runecast Solutions

Runecast Solutions is a global leader in AI-powered risk mitigation, security, continuous compliance and more efficient IT operations management.

Cyber Castellum

Cyber Castellum

Cyber Castellum is a cybersecurity consulting firm that specializes in the identification of security vulnerabilities in an organization’s technology landscape.

Gray Swan

Gray Swan

Gray Swan is the safety and security provider for the AI era, founded by world leading experts in the AI safety and security space.