Friction between management and employees exacerbates insider threat

Sep 26, 2019

In recent years, we’ve seen some of the biggest companies in the world fall victim to data breaches.

But with much of the discussion being focused, to date, on how leaks occur, very few people seem to have stopped to ask why.

According to Verizon’s 2018 Data breach investigations report, 28% of data leaks involve employees or insiders of some kind. In some markets, that figure is much higher, such as in healthcare, where the threat from inside is even greater than that from outside the organisation.

We know human error is a major contributor to these numbers. But why do such costly mistakes happen, repeatedly, when employees handle data? What are business leaders missing?

Are CIOs and CISOs so preoccupied with dealing with the threat of outside cyber attacks that they aren’t paying attention to how potentially disastrous mistakes – or even malicious actions – are happening on their own doorstep?

The gulf between employees and IT leaders Questioning both IT leaders and employees on the intent behind insider breaches, the Egress Insider data breach survey 2019 has uncovered a huge disparity between the two groups, illustrated by a lack of trust displayed by executives towards their employees. For example, 79% of IT leaders believe employees have put sensitive company data at risk accidentally in the past 12 months, but 92% of employees countered this by saying they haven’t accidentally broken company policy when sharing information. In addition, 61% of IT leaders think employees have put sensitive company data at risk maliciously in the past 12 months, but 91% denied intentionally breaking company policy. This chasm, combined with the rapid growth in unstructured data and the ways in which employees can now share data, has the potential to derail an organisation’s security programme. When asked to name the top three causes for insider breaches, IT leaders put rushing and making mistakes at number one (60%), followed by a general lack of awareness (44%) and lack of training on the company’s security tools (36%). From an employee perspective, out of those who had accidentally shared data, almost half (48%) agreed they had been rushing, but 30% blamed a high-pressure working environment and 29% said it happened because they were tired. The most frequently cited employee error was accidentally sending data to the wrong person (45%), while 27% had been caught out by phishing emails. More worryingly, more than a third of employees (35%) were simply unaware that information should not be shared, pointing to an urgent need for effective employee education around responsibilities for data protection. It is also worth pointing out that 55% of employees that intentionally shared data against company rules said their organisation didn’t provide them with the tools needed to share sensitive information securely. This implies that, while IT leaders seem to have low expectations of their employees when it comes to putting data at risk, they are failing to effectively provide the tools and training needed to prevent a data breach from happening in the first place.