In today’s hyper-connected world, insider-driven data loss remains a significant threat across industries. Despite the widespread implementation of traditional Data Loss Prevention (DLP) solutions, the latest insights from our 2024 Data Exposure Report (DER) highlight increasing risks.
The rising tide of insider threats + the cost of inaction
There has been a staggering 28% increase in insider-driven data exposure, loss, leak, and theft events compared to 2021. Financially, these events cost an average of $15 million each, as estimated by cybersecurity leaders. However, the costs extend beyond monetary losses, impacting the time and morale of security teams.
Visibility gaps widen in the AI Age
Despite efforts to safeguard their data, companies still need insight into key areas where insider threats often originate. This year’s DER reveals that a vast majority of respondents — 88% for source code repositories, 87% for personal cloud accounts, and 90% for CRM system data downloads — feel the need for enhanced visibility into these critical domains to mitigate internal risks effectively. These systems have traditionally been outside the purview of compliance-focused DLP programs, yet they house much of an organization’s intellectual property and hold value outside of the organization. Awareness around the significance of if this data is misused is becoming top of mind for security programs.
Emerging technologies like AI add new complexities to cybersecurity. While AI holds immense promise, it also introduces unique risks, with 89% of respondents agreeing that their company’s sensitive data is increasingly vulnerable to new AI technologies. Moreover, the growth of Generative AI (GenAI) use brings further challenges, with 87% of leaders worried about employees inadvertently exposing sensitive data through GenAI tools.
Considering the human factor
A fear of AI tools is compounded by their increasing use to fill a widening skills gap in cybersecurity. Over seven in ten surveyed cybersecurity leaders (79%) believe their cybersecurity team has a shortage of skilled workers and these leaders are increasingly looking to AI (83%) and GenAI (92%) to fill this gap. This cybersecurity skills shortage stretches teams thin and creates vulnerabilities within organizations.
In addition to these challenges, specific demographics, notably Generation Z and Millennials, are seen as higher risks due to increased susceptibility to phishing attacks, oversharing company information on social media, and workplace mobility due to job hopping or unplanned restructuring. Respondents also highlight particular employee levels as riskier, with 81% of respondents identifying senior management and 71% pointing to board members as the greatest threat to data security, likely due to their handling of more sensitive data and being a target for spear phishing campaigns.
Is there a path forward from traditional DLP?
This year’s DER has found shortcomings in DLP solutions. With employees creating data faster than ever, it’s impossible to account for all vulnerabilities via the tedious tagging and updating that these legacy tools require. Coupled with unlimited SaaS platforms to share and collaborate on content, the shortcomings affect traditional DLP program effectiveness. Consistent with our past reports, the rate of insider-driven data loss continues to rise, unmitigated by DLP solutions. In short, DLP just isn’t cutting it anymore.
By prioritizing a holistic data security approach built on a cultural foundation of security awareness, and by embracing technology made for the collaborative organization, security leaders can mitigate the risks posed by insider threats and protect their most valuable assets.
Organizations can significantly reduce insider threat risks and protect their vital assets in a volatile digital world by actively embracing three key strategies:
- A holistic data security approach grounded in a culture of security awareness
- Risk-focused visibility
- Right-sized response to data loss events
With the ultimate goal of an overall reduction in data exposure events across the organization.
