The pandemic laid bare something the most successful and innovative companies have known for years now: Efficiency is great for today — but agility is how you ensure success tomorrow. In an increasingly dynamic and evolving business world, organizations need the ability to adapt quickly to new circumstances and opportunities, build new innovative solutions, and accelerate time to market in order to create competitive advantage.

Most companies made major leaps forward toward this speed and agility in the past year, freeing workers to leverage new technologies and new ways of working — not just to connect remotely, but to collaborate more dynamically and deliver value more effectively. But unleashing the ingenuity of your people — and building a work culture rooted in speed and agility — has an inherent downside: insider risk to the data, intellectual property (IP), and business value that your fast-and-agile workforce is creating every day. As agility becomes the key growth ingredient, insider risk is becoming the limiting factor: Go too far in locking things down and you'll stifle growth, but ignore it and you expose your growth to growing risk.

Insider Risk Isn't New — but It's Growing
Insider risk encompasses all types of risk to your data — whether that be a malicious employee stealing trade secrets and taking them to a competitor, or an employee simply leaking data by accident. In this new work-from-anywhere world, files are constantly on the move — between endpoints, to and from the cloud, on and off the network. The vast majority of this file activity is harmless. But a surprising (and alarming) amount of file activity puts business value directly at risk — and that risk activity is growing. Code42 research shows that employees are a whopping 85% more likely to lose or leak files and data than they were before the pandemic, and a recent report from the Aberdeen Group showed that the average number of data exposure events — e.g., insiders moving enterprise files to untrusted locations via email, messaging, cloud, or removable media — is 13 data exposure events per user, per day. Most IT security leaders expect insider risks to continue to increase over the next two years.

Intent Doesn't Matter — Data Leaks Hurt Your Business

An insider risk mindset argues that intentions don't always matter; regardless of intention, data leaks jeopardize the financial, reputational, or operational well-being of a company, as well as its employees, customers, and partners. The Aberdeen Group report showed that 25% of insider data breaches involve IP. The report gave two ways for businesses to think about the potential cost of having their IP exposed through insider risk: up to 20% of a company's revenue — or as much as 440% of the revenue generated by the exposed IP. Just because the behavior isn't intentionally malicious doesn't mean it's not hurting your business — in a big way.

"Risk Tolerance" Requires Understanding Your Risk
To amp up the agility of their people and their business, organizations are increasingly embracing the "risk tolerance" paradigm for data security — accepting some increased insider risk of data leaks in order to allow people to work in smarter, faster ways. But the truth is that insider risk remains a major blind spot for most organizations. The crux of the problem is homing in on the truly risky activity amid the everyday noise of harmless file activity. But here's a closely related challenge: Most risky activity is just everyday employees, trying to get everyday work done. In fact, insider risk often comes from your most productive and innovative employees finding shortcuts to faster, smarter ways of working — and unknowingly exposing files to risk.

But wherever it comes from, the bottom line is that, without visibility and understanding of insider risk, it's not really an empowered stance of risk tolerance — it's more like involuntary risk acceptance.

Enabling Business Agility Starts With Understanding Insider Risk
If organizations want to continue fostering speed and agility to improve business outcomes — freeing employees to work in new, better, smarter ways — they must understand the inherent risk created. They need to recognize the problem that insider risk presents to their business. And then work to gain a better understanding of what risk looks like in their organization: identifying their most valuable and vulnerable files and data; recognizing the potential cost of losing that IP; and gaining visibility to the biggest insider risks to that IP. With this solid foundation of understanding, IT and security teams can take an empowered stance on enabling the business and tolerating risk — while protecting data and business value.

Code42 is a sponsor of the second annual Insider Risk Summit taking place virtually on September 14–15. Learn more and register to attend at www.insiderrisksummit.com.

About the Author

Mark Wojtasiak is co-author of the book Inside Jobs: Why Insider Risk is the Biggest Cyber Threat You Can't Ignore, vice president of research and strategy for Code42, and frequent cybersecurity blog contributor. In his role at Code42, he leads the market research, competitive intelligence, and product marketing teams. Mark joined Code42, a leader in insider risk detection and response, in 2016, bringing more than 20 years of B2B data storage, cloud, and data security experience with him, including several roles in marketing and product management at Seagate.