The average data breach now costs a company $3.86 million, up 6.4% since 2017. Unfortunately, data breaches are now so common we rarely go a day without hearing about the latest one. When these breaches are the result of employee actions, for example, accidental data leakage or clicking on a malicious link in an email, it can often be difficult for organizations to know how they can prevent this scenario from playing out again in future.
A big part of this problem is the perception gap between CIOs and IT leaders, and the employees who deal with data on a daily basis about the likelihood of insider breaches and their root causes. The Egress 2019 Insider Data Breach survey uncovered concerning findings to this effect.
According to the survey, IT leaders predominantly believe that employees are putting sensitive data at risk, both accidentally and maliciously, while employees say they're acting in accordance with corporate policies:
- 79% of IT leaders believe that employees have put company data at risk accidentally in the last 12 months, and 61% believe employees have put company data at risk maliciously
- 92% of employees say they haven't accidentally broken their company's data sharing policy in the last 12 months, and 91% confirm they haven't done so intentionally
- 60% of IT leaders believe that they will suffer an accidental insider breach in the next 12 months, and 46% believe they will suffer a malicious insider breach
These stats highlight a fundamental gulf between CIOs/IT leaders and employees that creates a major challenge for organizations attempting to stem the growing tide of insider breach incidents. With internal actors unaware of, or unwilling to admit their responsibility, organizations must look to technology to provide the necessary level of mitigation and reporting to protect sensitive assets.
Carelessness and a lack of awareness
While some IT leaders believe data is being leaked by employees on purpose to harm an organization (30%) or for financial gain (28%), other inside data breaches are simply caused by employee carelessness and lack of awareness. When CIOs and IT leaders were asked to name the leading causes of accidental breaches, the survey found:
- 60% cited employee carelessness
- 44% cited a general lack of employee awareness on data policies
- 36% indicated a lack of training on the company's security tools
According to the survey, this is one area that CIOs/IT leaders and employees tend to agree. Of those employees that have accidentally leaked data, the survey found:
- 48% blamed themselves for rushing and making a mistake
- 45% accidentally sent data to the wrong person
- 35% were unaware that information should not be shared
- 30% blamed the high-pressure work environment
- 29% said they leaked data on accident because they were tired
Carelessness and a lack of awareness on data policies is a toxic mix that can lead to data breaches, but it's important to note that employees placed more fault with the corporate environment overall as a leading cause of breaches.
Confusion over data ownership and ethics
One of the most fascinating aspects of the Insider Data Breach survey is the confusion that employees have when it comes to data ownership, which contributes to "why" employees would intentionally share or leak data. According to the survey:
- 60% of employees do not recognize that the organization is the exclusive owner of company data;
- 29% of employees stated they believe the data they work on belongs to them alone -- not the organization
So, what can be done to solve this problem?
The survey shows that insider data breaches are frequent and concerning occurrences -- and that, clearly, traditional approaches to tackling this threat aren't working. Employees' autonomy makes it difficult for IT leaders to anticipate their behavior -- whether that's someone acting maliciously to harm the company, trying to cover up or play down an error, or taking shortcuts to get their job done.
Moving forward, IT leaders need to rely on technology to fill this gap in compliance. Advances in machine learning and big data analytics make it possible to define 'good' behavior for subsets and individual employees -- and then alert them when they're about to make a mistake or even block potentially malicious actions. On top of this, organizations should expect comprehensive reporting from any of their security tools so they can prove compliance with the raft of legislation they could be regulated by (including HIPAA, GDPR, and the NYDFS Cybersecurity Regulation).
People are the lifeblood of almost every organization -- and technology now needs to step in so we can also say they're no longer one of its biggest threats as well.
— At Egress, Mark Bower is the General Manager for North America, responsible for strategic growth and customer success across the region. Prior to Egress, Mark led product and business strategy for Voltage Security, acquired by Hewlett Packard in 2015 and a pioneer in new data encryption technology methods that are now NIST standards in modern data-centric security for cloud, mobility and IoT applications.