Insider risk is not a new attack vector—but it’s perhaps the fastest-growing vulnerability organizations face today. Before the COVID-19 pandemic, digital transformation, powered by collaboration technologies and SaaS platforms, expanded threat surfaces outside the network perimeter—making it much easier for employees to exfiltrate data without getting caught. Then, the workforce shifted to a remote model—literally overnight—exacerbating the risk and leaving some security teams unprepared to deal with the rising threat.
Code42’s latest Data Exposure Report on insider risk found that both business and security leaders are allowing massive insider risk vulnerabilities to fester in the aftermath of the significant shift to remote work in the past year. We saw an example of potential insider risk with the Google outages in December 2020; employees didn’t even know they were putting their organization at risk.
With Google down for hours, employees were forced to find a workaround to share documents (other than, for instance, Google Docs) and communicate with clients and teams (other than via Gmail and Hangouts). These types of actions – albeit not deliberately malicious – automatically expose organizations to increased risk when employees aren’t following outlined protocols for asset sharing. We’ve seen this scenario play out time and time again, to Amazon in November and Microsoft in December, for instance, with similar outages.
According to the report, three-quarters of IT security leaders said their organizations have experienced one or more data breaches involving the loss of sensitive files in 2020, and more than half (59%) said insider threats will continue to increase in the next two years. This is primarily due to users having access to files they shouldn’t, employees’ preference to be as productive as possible, sometimes regardless of security protocols, and the normalization of remote work.
Despite these forces, more than half (54%) still don’t have a plan to respond to insider risks.
Lack of Preparedness
An unprecedented year has stretched organizations in many ways as everyone scrambled to keep up with massive, sudden change. It’s been all-hands-on-deck as security professionals were reallocated to remote support, ensuring that users have reliable, consistent access to the tools and information they need to maintain business continuity. However, for some organizations, 2020 has laid bare the failure of existing security infrastructure, up and down the stack, to keep up with today’s digital workplace.
The severity of insider risk is consistently overlooked, evidenced by the sharp rise in risky file behavior this year. The Data Exposure Report shows that organizations are not even measuring the efficacy of their insider risk mitigation programs, and this inattention will threaten the future of the digital enterprise.
Consider these insights from the report:
- Employees are 85% more likely to leak sensitive files now than before COVID (28% leaked files pre-COVID versus 52% today).
- IT security leaders called out malicious insiders and careless employees as the two most common causes of data breaches, ahead of external attacks, yet less than 20% of security budgets in 2020 were spent on insider risk.
- Nearly six out of ten IT security leaders say insider threats will increase, or increase significantly, over the next two years.
- It takes an average of 118 days to identify a data breach and 55 days to contain one—a nearly six-month process.
- Less than half of organizations (46%) have an insider risk response plan in place.
- Employees are not happy with traditional data loss prevention (DLP) controls that security has put in place. Employees report that their legitimate work is being blocked daily or weekly, according to 51% of IT security leaders, who field complaints from frustrated employees.
Protect Against Insider Risks
Recognizing insider risk indicators and creating a formal insider risk program is a great place to start. This involves putting technologies and processes in place that can identify risky behaviors without inhibiting the organization’s collaborative culture and employee productivity. Seek out technologies that flag insider risk indicators, such as working off-hours, changing file extensions, having access to the files of a highly confidential project or resigning from the organization. When these risk indicators are spotted, it’s critical they’re put in context with other events in the business and, if necessary, acted on to prevent further damage.
If security teams are armed with the right context around risks, they’re likely to stop deploying technologies that block file sharing. Blocking access and sharing is not the answer, as it inevitably disrupts legitimate work and impacts productivity both for employees and security teams. It also makes employees more likely to turn to alternative, unsanctioned options for sharing information and collaborating as a means to remain productive. In order to move forward in this increasingly digital world amid the hybrid workforce, security leaders must collaborate, be proactive and have plans in place to manage insider risk.