Have We Become Complacent About The ‘Insider Threat’?

We’re constantly being warned about the persistent threat to data that comes from people within the organisation. In its latest Data Breach Investigations Report, for instance, Verizon confirms that 74% of breaches involve the human element – which includes social engineering attacks, errors, or misuse.

Findings from Apricorn’s latest research also emphasise the ‘insider threat’ that continues to plague UK enterprises, with clear indications that security leaders simply do not trust their organisation’s employees to keep information safe. Despite this, however, they’re neglecting to take the necessary steps to control the risks.

The security leaders surveyed believe that workers are routinely exposing sensitive data to loss or theft - with 22% saying employees unintentionally putting data at risk had been the main cause of a data breach at their organisation. An alarming 20% cited that employees with malicious intent had been the catalyst for a breach at their company. 

Remote workers specifically had been behind a breach at 26% of organisations, up from 21% in 2022.

Out Of Sight, Out Of Mind?

Almost half of the companies surveyed admitted that their mobile or remote workers had knowingly exposed data to a breach over the last year, a rise from 29% in 2022, while 46% stated that their remote workers “don’t care” about security. 

There appears to be an overall lack of engagement within the workforce around the need to protect the information they create and handle. In some cases this is manifesting as brazen negligence. Perhaps increased familiarity with messages about cybersecurity threats and incidents has led to apathy, or even ‘vigilance fatigue’. It’s also possible that employees who have become used to working away from the office environment have developed a new – overly relaxed – mindset.

In spite of their awareness that ‘insiders’ are not living up to their responsibilities around protecting data, companies don’t appear to be applying the measures necessary to prevent data being compromised. This is particularly the case when it comes to BYOD.

Of those companies that allow employees to use their own IT equipment remotely, only 14% use software to control the systems and data they can access. Nearly a quarter require employees to receive approval to use their own devices, but do not apply any controls, while 17% don’t require approval or apply any controls.

Decentralisation of IT may be behind this apparent ‘loosening of the reins’, as the technology estate moves further away from the organisation, and users – by default – gain greater autonomy over what they do and how. This could be resulting in a potentially dangerous slip in the control that security teams have over the endpoint.

Defuse The Ticking Time Bomb

Three quarters of the respondents to Apricorn’s survey said that, since the EU GDPR came into force five years ago, their organisations had either notified the ICO of a breach or potential breach or been reported by somebody else.

This is hardly the time for companies to be taking a step backwards with regards to the strength of their security controls. UK GDPR is on the horizon, currently working its way through parliament under the guise of the Data Protection and Digital Information Bill. Although we expect a softening of requirements compared with the EU GDPR, the ICO will be no less ready to bare its teeth, and the fallout from fines and reputational damage will be no less painful for the organisations affected.

In its Data Security Incident Trends report, the ICO reveals that 65% of incidents reported in Q4 of 2022 were down to user error, or the incorrect use or configuration of software. Organisations should be investing sufficient time and energy in minimising the potential for human error, and rebuilding a culture that ensures everyone has a security-first mindset, wherever they’re working.

Creating engagement requires ongoing awareness training that is specific and contextual – making sure that employees fully understand the security threats to data and to the organisation, and the likely outcomes in the case of a breach. Corporate security policies may also need a shake-up, especially those that cover the use of employees’ own IT kit. 

Finally, all policies must be enforced through the use of technology. This could involve locking down ports on laptops so they will only accept approved devices, or implementing software that controls access to vital systems and apps.

Mandating the organisation wide automatic encryption of all data will prevent it being compromised, even if a device is lost or stolen, or a disgruntled employee is motivated to cause a breach. 

The ’insider threat’ will always be with us. Human beings will always make mistakes, let their guard down, and behave in ways that leave company data exposed. It’s down to IT and security teams to tighten the reins, put measures in place to control the risk - and enforce them. 

Jon Fielding is Managing Director EMEA at Apricorn                         Image: geralt

You Might Also Read: 

The Top 5 Challenges Of Securing Remote Work:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« British University Data Breaches Are A Lesson For All
A Database Tracking Maritime Cyber Attacks »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Radware

Radware

Radware is a global leader of application delivery and cyber security solutions for virtual, cloud and software defined data centers.

Norwegian Business & Industry Security Council (NSR)

Norwegian Business & Industry Security Council (NSR)

NSR is a member organization serving the Norwegian business sector in an advisory capacity on matters relating to crime and security including cyber.

US Secret Service

US Secret Service

The US Secret Service has a pivotal role in securing the nation’s critical infrastructures, specifically in the areas of cyber, banking and finance.

BTblock

BTblock

Blockchain and cybersecurity is a vital combination for Enterprise success. BTblock is a Force Multiplier for its clients.

Agio

Agio

Agio is a hybrid managed IT and cybersecurity provider servicing the financial services, health care and payments industries.

Key Cyber Solutions

Key Cyber Solutions

Key Cyber is an IT consulting firm that specializes in agile software development services, program management and infrastructure services, cyber security and cloud and managed services.

Immuta

Immuta

Immuta empowers data engineering and operations teams to automate data governance, security, access control & privacy protection.

Cybersecurity Center for Secure Evolvable Energy Delivery Systems (SEEDS)

Cybersecurity Center for Secure Evolvable Energy Delivery Systems (SEEDS)

SEEDS conducts research and develops innovative cybersecurity technologies, tools, and methodologies that advance the energy sector’s ability to survive cyber incidents.

Binarly

Binarly

Binarly is a global firmware and software supply chain security company founded in 2021.

CyberconIQ

CyberconIQ

CyberconIQ provide an integrated Human Defense Platform that reduces the probability and/or the cost of a cybersecurity breach by measurably improving our clients risk posture and compliance culture.

Allurity

Allurity

Allurity is a group of tech-enabled cybersecurity service providers, comprised of best-in-class experts with a common mission to enable a safe digital world.

Global Resilience Federation (GRF)

Global Resilience Federation (GRF)

GRF builds, develops and connects security information sharing communities for mutual defense.

Dropzone AI

Dropzone AI

Dropzone AI are creating a generational leap in SecOps by using AI to automate cyber expertise and tooling.

Cambridge International Systems

Cambridge International Systems

For more than 25 years, Cambridge has been fighting bad actors in both the cyber and physical worlds.

Redinent Innovations

Redinent Innovations

Redinent is a cutting-edge IoT Security platform that offers precise security posture analysis and delivers actionable intelligence, empowering businesses to operate with unrivaled resilience.

Stern Cybersecurity

Stern Cybersecurity

Stern Cybersecurity offers a robust defense against the ever-evolving landscape of digital threats.