As we enter the three year anniversary since the declaration of a global pandemic, we can all agree on a few things: digital transformation accelerated, work environments will never be 100% in the office and the use of SaaS tools to foster collaboration has grown exponentially. All of this led to a larger and more complex risk profile for security teams to manage. While the entirety of risk management is undoubtedly complicated, Insider Risk in particular continues to be the most difficult to detect and reduce.
Annual Data Exposure Report 2023
Our fifth annual Data Exposure Report 2023, conducted by Vanson Bourne, surveyed 700 cybersecurity leaders, managers and practitioners from U.S. companies with 500 or more employees. For past surveys, our goal was to uncover the key drivers of Insider Risk: digital transformation, workforce turnover, hybrid-remote work and the continued adoption of cloud technologies, to name a few. This year, we shifted our focus to try to understand the specific challenges related to building and maintaining Insider Risk Management (IRM) programs, technologies and training.
The 2023 survey uncovered some interesting tension. We found that the Insider Risk problem is getting worse. There is a 32% year-over-year average increase in the number of insider events, equating to an average of 300 events per company per year. But wait – there’s some good news: Awareness of the problem is growing and companies are making investments in technology and setting up programs to address data loss from insiders.
Unfortunately, despite 72% of companies having a dedicated program for Insider Risks, 71% expect data loss from insider events to increase at their company in the next 12 months. This tells us that while companies have invested in Insider Risk Management, they are still struggling with the problem.
Why is Insider Risk Management so difficult?
Our report identified a few key reasons. First, insider events are not always malicious – often, they are caused by employees just trying to do their jobs. Detecting the difference between a person doing their job, and accidentally leaking data, can be very difficult with the current tech stack most organizations have today. Secondly, there are often challenges around technology and visibility. Respondents cite that the top two challenges they have in building an IRM program are 1) having the right technology in place and 2) having technology that can provide the right visibility into data loss.
Finally, IRM often brings up allusions to Big Brother; from our experience, the general discomfort around monitoring your peers is often the reason organizations delay setting up a program, as they fear cultural ramifications. To effectively respond to this sentiment, we need to reshape the way employees take ownership of their actions. If 71% of CISOs are uncomfortable monitoring their peers, we aren’t framing the intention of an IRM program correctly. There’s a big difference between monitoring and surveillance. Monitoring simply ensures the digital currency of data has guardrails. As long as you have a culture of transparency where this is communicated openly and regularly to employees, there should be no hesitation in implementing all facets of a well-rounded IRM program.
It doesn’t have to be that way!
At the end of the day, we all want to ensure data has the CIA (confidentiality, integrity, and availability) triad; your coworkers, vendors and partners should feel the same way. You can do this by creating a security-aware culture, in which you allow insight into the ways you plan to monitor data. Most importantly, define what is looked at, how it’s looked at and what employees can expect if they go outside the bounds of trust.
Education and scale
The best way to scale an IRM program successfully is to make your coworkers partners in the journey. Many Insider Risk events are careless, so real-time training should be used to shape users’ behaviors and save analysts’ time. Situational training helps institute a common mindset in which mental alarm bells are triggered for employees: “Hold on – I’m doing something that could put my company at risk.” With training, employees are empowered to take ownership of their risk, which provides accountability and a strong foundation for building a culture of Insider Risk Management.
See all the insights from the 2023 Data Exposure Report
This is just a small slice of what we uncovered in this year’s report. It’s encouraging to see that awareness of Insider Risk is growing, and that companies have taken steps to invest in technology and programs. But the buck doesn’t stop at awareness and surface-level implementation. Take a look at our full report to see why deeper investments in culture, training and quality tech are needed to effectively thwart Insider Risk within your organization.
Did You Know?