Annual Data Exposure Report 2022: Part III
We’ve been warning of the heightened Insider Risk from the combo of the hybrid-remote work shift and the Great Resignation for well over a year now. So we were thrilled when our 2022 Data Exposure Report showed that most organizations are now well aware of the problem. An encouraging 95% of business leaders, cybersecurity leaders and cybersecurity practitioners say that high turnover is raising cybersecurity concerns, and 97% say the remote work shift has presented heightened cybersecurity concerns. But despite Insider Risk finally getting the attention of the C-suite, budgets aren’t budging: Spending on Insider Risk Management barely increased at all over last year, leaving 73% of respondents saying their budgets fall well short of what they need.
What gives?
The answer, it seems, is problematic misalignment between what business leaders are focused on — and what cybersecurity practitioners say they need.
Recapping our 2022 Data Exposure Report blog series
In case you missed our first and second blogs diving into the key findings from this year’s Annual Data Exposure Report 2022 study, here’s what you need to know: Vanson Bourne independently surveyed 700 business leaders, security leaders and practitioners from companies in the U.S., uncovering three trends driving data exposure risk right now:
- Cloud technologies drive the modern workforce: The continued adoption of cloud technologies by the hybrid-remote workforce – and security’s lack of visibility into data as it moves across those technologies.
- The Great Resignation: Sustained, high turnover increasing risk of departing employees’ theft of IP.
- Internal misalignment on Insider Risk: Ongoing misunderstanding and poor communication between stakeholders at the board, security leadership and security practitioner levels.
This is the last in our three-part blog series on these key trends, diving into the misalignment that’s keeping cybersecurity programs underfunded and underprepared.
Everyone is shouting about Insider Risk — but no one is listening
Cybersecurity practitioners are intimately immersed in the Insider Risk problem — they’re dealing with it every day. Most of these savvy pros increasingly understand the roots of the rising Insider Risk — and they’re getting a better idea of the tools and strategies needed to address it. But nearly three in five (57%) practitioners say their cybersecurity leaders aren’t collaborating with them when building Insider Risk Management strategies and solutions.
This is rather ironic, given that our Data Exposure Report survey showed cybersecurity leaders also feel like they’re just fighting to make their voices heard. A majority (56%) of cybersecurity leaders say business leadership (C-Suite and board of directors) doesn’t adequately include them in strategic decision-making.
And the icing on this cake of irony is that boards, too, are more concerned about the Insider Risk problem than ever. In particular, BODs are increasingly worried by the threat of insider data exfiltration of IP that gives their companies competitive market advantages. A whopping 85% of pre-IPO companies cite Insider Risk as a Board-level priority and 82% indicate Insider Risk is discussed at every Board meeting.
Miscommunication & misalignment between cybersecurity practitioners and leadership
One big reason for this miscommunication is that these parties are focused on different priorities. Cybersecurity practitioners — the people tasked with stopping the threats — are tactically focused on how that data is being exfiltrated. But as mentioned before with regard to IP risk, business leaders are worried about understanding what content and value that Insider Risk threatens.
Of course, both are critically important. But cybersecurity practitioners say that business leaders’ focus on protecting their “crown jewels” is well-intentioned but misguided. The vast majority (91%) of cybersecurity practitioners say their companies’ boards need a better understanding of what Insider Risk actually looks like. To take that a step further, cybersecurity practitioners increasingly recognize that focusing on protecting some data fails to plug the gaps that are allowing Insider Risk to grow in the first place — that the right approach needs to start by gaining visibility to all data, all users and all data activity.
This disconnect — between cybersecurity practitioners, cybersecurity leaders and business leadership — explains the budget misalignment when it comes to Insider Risk Management programs. Just 21% of cybersecurity budgets are focused on Insider Risk — due in some part to the top-level focus on protecting just the most valuable data. And as a result, three in four (71%) cybersecurity practitioners say they can’t fully see what and/or how much sensitive data is leaving the company.
An overlooked opportunity: Employee training
The 2022 Data Exposure Report isn’t all bad news. For example, survey responses showed that most companies could make major headway against Insider Risk with one simple, tactical strategy: better, smarter employee training. We know that Insider Risk is a people problem — and it’s increasingly clear that it requires people-centric solutions. Rigid tech solutions (i.e., DLP, CASB) just don’t work because they can’t account for human ingenuity/creativity — and ultimately drive Insider Risk further into the shadows.
This has never been more apparent: As companies continue adapting to new ways of working and hybrid-remote models, over half (55%) of respondents say they’re worried employees have become lax in their cybersecurity practices/protocols. Almost all (96%) companies identify the need to improve the data security training they give to employees, with around a third (32%) saying they need a complete overhaul.
Unlike other data security challenges, the unique part about Insider Risk is you can get the threat actors working with you. But the key is evolving cybersecurity awareness and training to reflect the new ways of working — to build training that’s as rapid, responsive and personalized as the cloud apps that workers are using every day.
Want to see smart security awareness training in action? Get a quick look at how Code42 Instructor automatically delivers Insider Risk education that’s proactive, situational and responsive.
And see how Incydr gives you a toolset to build a modern Insider Risk Management framework.