Security Leaders: Data Loss Prevention Cannot Stop Insider Threat
The study shows employees take more risks with data than employers think.
New research from Minneapolis-based Code42 underscores the major data security threat posed by employee actions; and disputes the notion that personnel are an effective frontline of defense against data breaches.
The data loss protection provider in its 2019 “Global Data Exposure Report” found insider threats – caused by current and departing employees – expose companies to breaches and put corporate data at risk. The research also questioned whether organizations fund and deploy the correct data security solutions to stop insider threats and asserted legacy data loss prevention solutions fall short in getting the job done.
Code42 maintained 79% of information security leaders believe employees are an effective frontline of defense against data breaches. However, this year’s report disagreed with that idea.
Recognizing employees as the power behind any organization, companies increasingly implement strategies for collaboration to make information sharing easier than ever. Some organizations, Code42 suggested, have not put in appropriate detection and response data security controls, and instead simply trust employees to keep data safe.
However, the study showed employees take more risks with data than employers think, which leaves organizations open to insider threats.
Key findings:
- Rather than sticking to company-provided file sharing and collaboration tools, 31% business decision-makers also use social media platforms, such as Twitter, Facebook or LinkedIn, 37% use WhatsApp and 43% use personal email to send files and collaborate with colleagues.
- Seventy-eight percent of chief security officers and 65% of CEOs admit to clicking on a link they should not have, showing that no level of employee is immune to lapses in judgement.
- These types of risk-based actions are why employees caused half of the data breaches companies admitted to experiencing in the previous 18 months, according to both information security leaders and business decision-makers (50% and 53% respectively).
“Organizations are overlooking the most harmful data security threat: their own employees. While security leaders likely are aware of the problem, they may not grasp the sheer magnitude of it. And most have fallen behind in effectively detecting and responding to insider threats,” Joe Payne, Code42 president and CEO, said. “The brutal truth is employees take data. Companies that do not have or underinvest in an insider threat program or rely on legacy data loss prevention solutions, are feeling the pain and winding up in headlines. Security leaders must find a better way to protect sensitive company data and address threats coming from within their own walls.”
Another aspect of the data threat posed comes from departing employees. The report noted while people generally leave their jobs on a positive note, chances are they are taking more than just memories when they leave; they also pocket proprietary data – negatively impacting their former colleagues.
Equally concerning as departing employees are incoming employees bringing data from their prior organizations. The study found 63% of survey respondents admit to bringing data from past employers to their new jobs; and most employees today feel entitled to personal ownership over their work. In fact, a large majority of information security leaders (72%) agreed, “It’s not just corporate data, it’s my work – and my ideas.”
The Code42 study acknowledged Information security leaders know their data is at risk. While traditional prevention solutions are widespread, these solutions are not proving effective in protecting valuable data, such as customer lists and source code, from insider threats.
The “Global Data Exposure Report” showed 69% of organizations said they were breached due to an insider threat and confirmed they had a prevention solution in place at the time of the breach; and 78% of information security leaders, including those with traditional data loss prevention, believed prevention strategies and solutions are not enough to stop insider threat.
In line with these findings, a commissioned 2019 study, conducted by Forrester Consulting on behalf of Code42, found 81% of survey respondents needed a better way to protect sensitive data without slowing down innovation. Furthermore, 48% of them also deemed it a critical priority in the next year to better protect sensitive company and customer data.
“We’re seeing companies empower their employees without the proper security programs in place, leaving companies in a heightened state of risk,” Jadee Hanson, chief information security officer and vice president of information systems of Code42, said. “In addition to enforcing awareness trainings, implementing data loss protection technologies and adding data protection measures to on- and off-boarding processes, organizations should not delay in launching transparent, cross-functional insider threat programs. Insider threats are real. Failing to act will only result in increasingly catastrophic data loss and breaches.”
The report’s research, conducted via online response during May 2019 by U.K.-based Sapio, included more than 1,000 Information security leaders from the U.S., U.K., Germany, Austria and Switzerland. Twenty-one percent of the information security audience represented the C-suite, including chief information security officers, chief security officers, chief information officers and chief technology officers.