Imperva releases new data that shows organizations are failing to address the issue of insider threats during a time when the risk is at its greatest.
New research, commissioned by Imperva and conducted by Forrester, found that the majority (59%) of incidents in EMEA organizations that negatively impacted sensitive data in the last 12 months was caused by insider threats, and yet most (59%) do not prioritize insider threats the way they prioritize external threats. Despite the fact that insider events occur more often than external ones, they receive lower levels of investment.
This approach is at odds with today’s threat landscape where the risk of malicious insiders has never been higher. The rapid shift to remote working means many employees are now outside the typical security controls that organizations employ, making it harder to detect and prevent insider threats. Further, “The Great Resignation” is creating an environment where there is a higher risk of employees stealing data. This data could be stolen intentionally by people looking to help themselves in future employment, because they are disgruntled and want revenge, or it could be taken unintentionally when a careless employee leaves the business with important information.
Why are organizations not prioritising insider threats? The majority of respondents blame lack of budget (39%) and internal expertise (38%), but other problems abound. Nearly a third (29%) of firms do not perceive insiders as a substantial threat, and 33% say their organizational indifference to insider threats is due to internal blockers such as a lack of executive sponsorship. In fact, almost three-quarters (70%) of organizations do not have an insider risk management strategy or policy, and a majority (58%) do not have a dedicated insider threat team.
The findings show that organizations are woefully underestimating the seriousness of insider threats. Previous analysis by Imperva into the biggest data breaches of the last five years found one quarter (24%) of these were caused by human error (defined as the accidental or malicious use of credentials for fraud, theft, ransom or data loss) or compromised credentials.
Despite increased investment in cybersecurity, organizations are focused more on protecting themselves from external threats than paying attention to the risks that might be lurking within their own network, says Chris Waynforth, AVP Northern Europe at Imperva. “Insider threats are hard to detect because internal users have legitimate access to critical systems, making them invisible to traditional security solutions like firewalls and intrusion detection systems. The lack of visibility into insider threats is creating a significant risk to the security of organization's data.”
The main strategies currently being used by organizations in EMEA to protect against insider threats and unauthorized usage of credentials are periodical manual monitoring/auditing of employee activity (50%) and encryption (47%). Many are also training employees to ensure they comply with data protection/data loss prevention policies (65%). Despite these efforts, breaches and other data security incidents are still occurring and more than half (56%) of respondents said that end users have devised ways to circumvent their data protection policies.
“It is imperative that organizations add insider risk to their overall data protection strategy. An effective insider threat detection system needs to be diverse, combining several tools to not only monitor insider behavior, but also filter through the large number of alerts and eliminate false positives. Also, as protection of a companies’ intellectual property begins at the data layer, a comprehensive data protection plan must include a security tool that protects the data layer,” Waynforth said.
Organizations looking to better protect against insider threats should take the following steps:
Gain stakeholder buy-in to invest in an insider risk program. Insider risk is a human problem, not a technology issue, and must be treated as such. It is also a risk that cuts across all parts of the business. Therefore it is important to get senior executives from across the company to endorse and support the insider risk program for it to be successful. Start at the top to gain buy-in and sponsorship, then engage with leaders from HR, Legal, IT, and other parts of the organization.
Follow Zero Trust principles to address insider risk. Following a Zero Trust approach helps protect data and users while limiting the ability of insiders to use sensitive resources not required by their function.
Build a dedicated function to address insider risk. Since insider risk is a human problem and very sensitive in nature, it requires dedicated resources. These may be part of the security team or, better yet, a separate dedicated function. Either way, this team needs a specific mandate for insider risk and training to recognize and respond to insider threats.
Create processes for your insider risk program and follow them. The sensitivity of insider risk and its associated privacy concerns require that strict policies are implemented and followed. Treat every investigation as if it will end up in court and apply policies consistently.
Implement a comprehensive data security solution. A complete solution goes beyond DLP to include monitoring, advanced analytics, and automated response to prevent unauthorized, accidental, or malicious data access. The technologies you deploy should support the processes you’ve created and the mandate for your insider risk function. Your organization will see cost savings and a reduction of risk from business impacting security events.