Have We Become Complacent About The ‘Insider Threat’?

Uploaded on 2023-08-01 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

We’re constantly being warned about the persistent threat to data that comes from people within the organisation. In its latest Data Breach Investigations Report, for instance, Verizon confirms that 74% of breaches involve the human element – which includes social engineering attacks, errors, or misuse.

Findings from Apricorn’s latest research also emphasise the ‘insider threat’ that continues to plague UK enterprises, with clear indications that security leaders simply do not trust their organisation’s employees to keep information safe. Despite this, however, they’re neglecting to take the necessary steps to control the risks.

The security leaders surveyed believe that workers are routinely exposing sensitive data to loss or theft - with 22% saying employees unintentionally putting data at risk had been the main cause of a data breach at their organisation. An alarming 20% cited that employees with malicious intent had been the catalyst for a breach at their company. 

Remote workers specifically had been behind a breach at 26% of organisations, up from 21% in 2022.

Out Of Sight, Out Of Mind?

Almost half of the companies surveyed admitted that their mobile or remote workers had knowingly exposed data to a breach over the last year, a rise from 29% in 2022, while 46% stated that their remote workers “don’t care” about security. 

There appears to be an overall lack of engagement within the workforce around the need to protect the information they create and handle. In some cases this is manifesting as brazen negligence. Perhaps increased familiarity with messages about cybersecurity threats and incidents has led to apathy, or even ‘vigilance fatigue’. It’s also possible that employees who have become used to working away from the office environment have developed a new – overly relaxed – mindset.

In spite of their awareness that ‘insiders’ are not living up to their responsibilities around protecting data, companies don’t appear to be applying the measures necessary to prevent data being compromised. This is particularly the case when it comes to BYOD.

Of those companies that allow employees to use their own IT equipment remotely, only 14% use software to control the systems and data they can access. Nearly a quarter require employees to receive approval to use their own devices, but do not apply any controls, while 17% don’t require approval or apply any controls.

Decentralisation of IT may be behind this apparent ‘loosening of the reins’, as the technology estate moves further away from the organisation, and users – by default – gain greater autonomy over what they do and how. This could be resulting in a potentially dangerous slip in the control that security teams have over the endpoint.

Defuse The Ticking Time Bomb

Three quarters of the respondents to Apricorn’s survey said that, since the EU GDPR came into force five years ago, their organisations had either notified the ICO of a breach or potential breach or been reported by somebody else.

This is hardly the time for companies to be taking a step backwards with regards to the strength of their security controls. UK GDPR is on the horizon, currently working its way through parliament under the guise of the Data Protection and Digital Information Bill. Although we expect a softening of requirements compared with the EU GDPR, the ICO will be no less ready to bare its teeth, and the fallout from fines and reputational damage will be no less painful for the organisations affected.

In its Data Security Incident Trends report, the ICO reveals that 65% of incidents reported in Q4 of 2022 were down to user error, or the incorrect use or configuration of software. Organisations should be investing sufficient time and energy in minimising the potential for human error, and rebuilding a culture that ensures everyone has a security-first mindset, wherever they’re working.

Creating engagement requires ongoing awareness training that is specific and contextual – making sure that employees fully understand the security threats to data and to the organisation, and the likely outcomes in the case of a breach. Corporate security policies may also need a shake-up, especially those that cover the use of employees’ own IT kit. 

Finally, all policies must be enforced through the use of technology. This could involve locking down ports on laptops so they will only accept approved devices, or implementing software that controls access to vital systems and apps.

Mandating the organisation wide automatic encryption of all data will prevent it being compromised, even if a device is lost or stolen, or a disgruntled employee is motivated to cause a breach. 

The ’insider threat’ will always be with us. Human beings will always make mistakes, let their guard down, and behave in ways that leave company data exposed. It’s down to IT and security teams to tighten the reins, put measures in place to control the risk - and enforce them. 

Jon Fielding is Managing Director EMEA at Apricorn                         Image: geralt

You Might Also Read: 

The Top 5 Challenges Of Securing Remote Work:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

« British University Data Breaches Are A Lesson For All
A Database Tracking Maritime Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

44CON

44CON

44CON is an Information Security Conference & Training event taking place in London. Designed to provide something for the business and technical Information Security professional.

Direct Recruiters Inc

Direct Recruiters Inc

Direct Recruiters is a relationship-focused search firm that assists IT Security and Cybersecurity companies with recruiting high-impact talent.

Brinqa

Brinqa

Brinqa is a leading provider of unified risk management and security analytics.to manage IT governance and technology risk.

Systancia

Systancia

Systancia offer solutions for the virtualization of applications and VDI, external access security, Privileged Access Management (PAM), Single Sign-On (SSO) and Identity and Access Management (IAM).

Center for Cyber Safety and Education

Center for Cyber Safety and Education

The Center for Cyber Safety and Education works to ensure that people across the globe have a positive and safe experience online through our educational programs, scholarships, and research.

Cyfirma

Cyfirma

CYFIRMA offers Cyber threat visibility and intelligence suite and services aimed at keeping your organization’s cybersecurity posture up-to-date.

Adyta

Adyta

Adyta specializes in cybersecurity solutions adapted to the needs of sovereign institutions, business groups and other organizations that handle information and sensitive or classified data.

StartupXseed Ventures

StartupXseed Ventures

StartupXseed Ventures is a smart capital provider for Deep Tech, B2B, Early Stage Startups. We support, NextGen Tech Entrepreneurs, who have potential to deliver the outsized growth.

Pathway Communications

Pathway Communications

Established in 1995, Pathway Communications – is part of the Pathway Group of Companies, a Canadian IT Managed Services organization.

Zuul IoT

Zuul IoT

Zuul take an asset-centric approach to OT security, enabling security teams to protect the critical IIoT/IoT devices that are at the foundation of critical business functions.

Salus Cyber

Salus Cyber

Salus is a provider of world-class cyber security services, enabling our clients to identify and manage their cyber risks proactively and effectively.

Daisy Corporate Services

Daisy Corporate Services

Daisy is one of the largest providers of communications and IT solutions across the UK, with a portfolio spanning unified communications, cloud, cyber security and resilience.

AuthMind

AuthMind

Prevent your next identity-related cyberattack with the AuthMind Identity SecOps Platform. It works anywhere and deploys in minutes.

LockMagic

LockMagic

Lockmagic is an information asset management solution to protect, track, audit and control accesses to sensitive information inside and outside your organization.

SIGLA Group

SIGLA Group

SIGLA Group specialize in the design and development of IT and OT solutions, from analysis to design, from implementation to commissioning, as well as consultancy, training and assistance.

ABPCyber

ABPCyber

ABPCyber offers holistic cybersecurity solutions spanning DevSecOps, advisory and consultancy, designing and integration, managed operations, and cybersecurity investment optimization.