Have We Become Complacent About The ‘Insider Threat’?

We’re constantly being warned about the persistent threat to data that comes from people within the organisation. In its latest Data Breach Investigations Report, for instance, Verizon confirms that 74% of breaches involve the human element – which includes social engineering attacks, errors, or misuse.

Findings from Apricorn’s latest research also emphasise the ‘insider threat’ that continues to plague UK enterprises, with clear indications that security leaders simply do not trust their organisation’s employees to keep information safe. Despite this, however, they’re neglecting to take the necessary steps to control the risks.

The security leaders surveyed believe that workers are routinely exposing sensitive data to loss or theft - with 22% saying employees unintentionally putting data at risk had been the main cause of a data breach at their organisation. An alarming 20% cited that employees with malicious intent had been the catalyst for a breach at their company. 

Remote workers specifically had been behind a breach at 26% of organisations, up from 21% in 2022.

Out Of Sight, Out Of Mind?

Almost half of the companies surveyed admitted that their mobile or remote workers had knowingly exposed data to a breach over the last year, a rise from 29% in 2022, while 46% stated that their remote workers “don’t care” about security. 

There appears to be an overall lack of engagement within the workforce around the need to protect the information they create and handle. In some cases this is manifesting as brazen negligence. Perhaps increased familiarity with messages about cybersecurity threats and incidents has led to apathy, or even ‘vigilance fatigue’. It’s also possible that employees who have become used to working away from the office environment have developed a new – overly relaxed – mindset.

In spite of their awareness that ‘insiders’ are not living up to their responsibilities around protecting data, companies don’t appear to be applying the measures necessary to prevent data being compromised. This is particularly the case when it comes to BYOD.

Of those companies that allow employees to use their own IT equipment remotely, only 14% use software to control the systems and data they can access. Nearly a quarter require employees to receive approval to use their own devices, but do not apply any controls, while 17% don’t require approval or apply any controls.

Decentralisation of IT may be behind this apparent ‘loosening of the reins’, as the technology estate moves further away from the organisation, and users – by default – gain greater autonomy over what they do and how. This could be resulting in a potentially dangerous slip in the control that security teams have over the endpoint.

Defuse The Ticking Time Bomb

Three quarters of the respondents to Apricorn’s survey said that, since the EU GDPR came into force five years ago, their organisations had either notified the ICO of a breach or potential breach or been reported by somebody else.

This is hardly the time for companies to be taking a step backwards with regards to the strength of their security controls. UK GDPR is on the horizon, currently working its way through parliament under the guise of the Data Protection and Digital Information Bill. Although we expect a softening of requirements compared with the EU GDPR, the ICO will be no less ready to bare its teeth, and the fallout from fines and reputational damage will be no less painful for the organisations affected.

In its Data Security Incident Trends report, the ICO reveals that 65% of incidents reported in Q4 of 2022 were down to user error, or the incorrect use or configuration of software. Organisations should be investing sufficient time and energy in minimising the potential for human error, and rebuilding a culture that ensures everyone has a security-first mindset, wherever they’re working.

Creating engagement requires ongoing awareness training that is specific and contextual – making sure that employees fully understand the security threats to data and to the organisation, and the likely outcomes in the case of a breach. Corporate security policies may also need a shake-up, especially those that cover the use of employees’ own IT kit. 

Finally, all policies must be enforced through the use of technology. This could involve locking down ports on laptops so they will only accept approved devices, or implementing software that controls access to vital systems and apps.

Mandating the organisation wide automatic encryption of all data will prevent it being compromised, even if a device is lost or stolen, or a disgruntled employee is motivated to cause a breach. 

The ’insider threat’ will always be with us. Human beings will always make mistakes, let their guard down, and behave in ways that leave company data exposed. It’s down to IT and security teams to tighten the reins, put measures in place to control the risk - and enforce them. 

Jon Fielding is Managing Director EMEA at Apricorn                         Image: geralt

You Might Also Read: 

The Top 5 Challenges Of Securing Remote Work:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« British University Data Breaches Are A Lesson For All
A Database Tracking Maritime Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Device Authority

Device Authority

Device Authority specialises in security automation for the Internet of Things (IoT).

Verimuchme

Verimuchme

Verimuchme is a digital wallet and exchange platform to secure, verify and re-use personal information.

X-act Forensics

X-act Forensics

X-act forensics are computer forensic experts with experience in cases of computer fraud, intellectual property theft, and social networking cases.

StormWall

StormWall

StormWall is an Anti-DDoS protection service for websites and networks. We offer 100% protection from all types of DDoS attacks and 24/7 technical support.

PureCyber

PureCyber

PureCyber (formerly Wolfberry Cyber) is an award-winning cyber security consultancy whose goal it is to make cyber security accessible, understandable, and affordable for any organisation.

Polish Centre for Accreditation (PCA)

Polish Centre for Accreditation (PCA)

PCA is the national accreditation body for Poland. The directory of members provides details of organisations offering certification services for ISO 27001.

Ribbon Communications

Ribbon Communications

Ribbon Communications delivers global communications software and network solutions to service providers, enterprises, and critical infrastructure sectors.

ShardSecure

ShardSecure

ShardSecure Microshard technology eliminates data sensitivity, providing security, privacy and compliance beyond encryption.

Skudo

Skudo

Skudo is dedicated to creating innovative best-in-class solutions that protect data exchange with the highest level of security and privacy.

Buchanan & Edwards

Buchanan & Edwards

Buchanan & Edwards delivers forward-focused technology solutions that help our clients transform the way they perform their missions.

OSI Security

OSI Security

OSI Security's primary services include penetration testing, security auditing, web application security testing and risk management.

N2K Networks

N2K Networks

N2K Networks is the world’s first “news to knowledge” network. The news to knowledge network is how you stay at the cutting edge in a rapidly changing world.

Blink Ops

Blink Ops

Blink helps security teams streamline everyday workflows and protect your organization better.

Myrror Security

Myrror Security

Myrror Security is a software supply chain security solution that aids lean security teams in safeguarding their software against breaches.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Lyvoc

Lyvoc

Lyvoc is a premier cybersecurity integration partner renowned for its expertise in supporting its clients to accelerate and secure their digital transformation.