“Your organization is and will be compromised by insiders…”
…So concludes a new SANS Institute study about cybersecurity. According to the study, cybersecurity specialists see employees as the number one threat to an organization’s data. Specifically, 74% of the respondents identified negligent and malicious employees as the threat that concerns them the most. The next most concerning risk are contractors who have access to corporate systems. In other words, for all the news and talk about cybersecurity on a national and international scale, the main risk vector remains as close as the next cubicle.
Experian also makes employee-based threats a central focus of concern in its new report, 2015 Second Annual Data Breach Industry Forecast:
Between human error and malicious insiders, time has shown us the majority of data breaches originate inside company walls. Employees and negligence are the leading cause of security incidents but remain the least reported issue. According to industry research, this represented 59 percent of security incidents in the last year.
[Inserted Update]: Verizon’s 2015 Data Breach Investigations Report, issued 4/15/15, notes:
As with prior years, the top action (55% of incidents) was privilege abuse—which is the defining characteristic of the internal actor breach. We see individuals abusing the access they have been entrusted with by their organization in virtually every industry
Notably, according to the SANS Institute, nearly a third of respondents believe they have already been attacked by an insider. SANS suggests that the majority of others justdon’t know that they have been attacked. This data is backed up by NetDiligence’s 2014 Cyber Insurance Claims Study, which concluded that 32% of submitted cyber insurance claims involved insiders. Of these, 58%were unintentionaland the rest were malicious. Notably, 20% were attributable to third-party vendors.
Most SANS Institute survey respondents say they use (and plan to use) non-technical means as a key part of their proactive response to insider risk. Accordingly, the employment lawyer has another key role in cybersecurity: developing workable policies that enable the employer to best enforce their security protocols through proper restrictions and enforcement measures.
Critically, these policies ought to be a fundamental part of a larger scheme of creating a culture where cybersecurity and its flip side, privacy, become a cultural norm at an enterprise. I have elsewhere called this norm creation “Proactive Privacy.” I do not think it is hyperbole to suggest that this idea of viewing security and privacy on this larger, normative scale — Proactive Privacy — is among the most critical cybersecurity and privacy-preserving tools available.
None of this is to suggest that technical means are an unimportant part of a cybersecurity program. Quite the contrary. Technical means, utilization of simple best practices, auditing and incident response planning are all critical components.
Two more facts to consider:
- 69% of respondents said they have an incident response plan, but just over half of those plans do not include any specific provisions for insider threats.
- 44% of respondents spend 10% or less of their IT budget on insider threats.
Back to Experian:
Despite all signs pointing to employees as the largest threat to a company’s security, business leaders will continue to neglect the issue in favor of more appealing security technologies in 2015. As a result, many companies will miss the mark on fighting the root cause of the majority of breaches.
I’ve addressed this issue before (here, here, and here for instance) and will continue to write about insider threat mitigation.
{workplace_tech_law} 