It’s not just hackers who attack IT systems. Company employees can also cause damage. However, many companies are not aware of these insider threats.
Imperva, Inc., has released a new study. It shows that organizations are failing to address insider threats when risk is at its highest.
The study, commissioned by Imperva and conducted by Forrester, found that most security incidents (59%) that impacted sensitive data at organizations in EMEA over the past 12 months were caused by insider threats. However, most (59%) do not give them the same priority as external threats. Although insider threats are more common than outsiders, less is invested in stopping them.
This practice is at odds with the current threat landscape, where the risk from malicious insiders is higher than ever. The rapid shift to remote working has left many employees outside of typical corporate security systems, making it harder to detect and prevent insider threats. In addition, “The Great Resignation” – the large wave of resignations that mainly affects the US and occurs in other markets – creates a climate in which there is a higher risk of employees stealing data. Individuals may intentionally steal information to help themselves with future employment because they are angry and want revenge. A careless employee could also unintentionally steal critical information,
But why don’t companies prioritize insider threats? Most respondents blame a lack of budget (39%) and a lack of in-house expertise (38%), but there are other issues. Almost a third (29%) of organizations do not perceive insiders as a severe threat, and 33 per cent say their indifference to insider threats stems from internal barriers such as a lack of executive support. Nearly three-quarters (70%) of organizations have no strategy or policy for managing insider risk, and the majority (58%) do not have a dedicated insider threat team.
The results show that organizations grossly underestimate the magnitude of insider threats. A previous Imperva analysis of the top data breaches over the past five years found that a quarter (24%) of these were caused by human error (defined as accidental or malicious use of credentials for fraud, theft, ransomware, or data leakage) or compromised credentials.
“Despite increased investments in cybersecurity, organizations are more focused on protecting against external threats than on the risks that might lurk within their network,” said Kai Zobel, Area Vice President EMEA Central at Imperva. “Insider threats are difficult to detect because internal users have legitimate access to critical systems, making them invisible to traditional security solutions such as firewalls and intrusion detection systems. The lack of visibility into insider threats poses a significant risk to corporate data security.”
The top strategies companies in EMEA currently use to protect against insider threats, and unauthorized use of credentials are regular manual auditing/monitoring of employee activities (50%) and encryption (47%). Many also train their employees to ensure they comply with privacy and data loss prevention policies (65%). Despite these efforts, security breaches and other data breaches still occur, and more than half (56%) of respondents said end-users had found ways to circumvent their privacy policies.
“It is imperative that organizations incorporate insider risk into their overall data protection strategy. An effective insider threat detection system must be multi-layered, combining multiple solutions to monitor insider behaviour and sift through a large number of alerts and filter out false positives. Since protecting an organization’s intellectual property starts at the data layer, a comprehensive data protection plan must also include a security tool that protects the data layer,” said Kai Zobel, Imperva’s Area Vice President EMEA Central.
Organizations that want to protect themselves against insider threats better should do the following:
Gain the buy-in of all stakeholders to invest in an insider risk program:
Insider risk is a human issue, not a technological issue, and must be treated. It is also a risk that affects all areas of the company. Therefore, it is essential to the success of the insider risk program that it has the endorsement and support of senior management. That’s why it makes sense to start at the top to gain buy-in and support and then involve leaders from HR, legal, IT, and other areas of the organization.
Adhere to Zero Trust principles to manage insider risk:
A Zero Trust approach helps protect data and users and limits the ability of insiders to use sensitive resources that are not necessary for their function.
Establish a dedicated body to deal with insider risk:
Because the insider threat is a human phenomenon and inherently sensitive, it requires reliable resources. These can be integrated into the security team or, even better, be their dedicated department. This team needs a specific insider risk mandate and training to detect and respond to insider threats.
Establish and follow insider risk program processes:
The sensitivity of insider risk and the associated privacy concerns require that strict policies be put in place and followed. Any review should be treated as if it would end up in court, and the guidelines should be applied consistently.
Implement a comprehensive data security solution:
A complete solution goes beyond DLP (Data Loss Prevention) and provides monitoring, advanced analytics, and automated responses to prevent unauthorized, accidental, or malicious data access. The technologies used should support the established processes and the mission of the insider risk department. This allows the company to save costs and reduce the risk of business-damaging security incidents.
Forrester conducted a September 2021 online survey of 464 security/IT professionals employed at organizations in APAC (Asia Pacific), EMEA (Europe, Middle East, Africa), and North America for insider threat management and responsible for responding. One hundred fifty-three respondents were based in EMEA.