Based on responses from 28 corporate security executives across 10 business sectors, the survey found 93 percent claimed human behavior was the biggest threat to their organizations' security, up from 88 percent in 2014, the first time that Nuix collaborated with Ari Kaplan Advisors on such a study to track developments influencing corporate security strategy.
According to the report, “Defending Data: Turning Cybersecurity Inside Out With Corporate Leadership Perspectives on Reshaping Our Information Protection Practices,” 71 percent of respondents reported having an insider threat program or policy; 21 percent attributed some of their security team's spending increases to additional protections against internal hazards and 14 percent reported allotting 40 percent or more of their budget to insider threats.
Human behavior within companies, prompted by losing out on a promotion or impressing the competition with proprietary sales leads, more likely will lead to a data breach than an outside attacker, Keith Lowry, Nuix senior vice president for business threat intelligence and analysis, told SCMagazine.com.
“When [companies] do vetting, such as background checks at the time of hire, that's not a good indication of what they might do in the future,” said Lowry, citing Edward Snowden and Chelsea Manning as two individuals who had passed security clearances, only to abscond with data.
But the research found anecdotally that companies treat the insider threat as a risk management matter, Lowry noted. Even if certain employees are found to being stealing company information, typically organizations will make an offer to keep them, depending upon their value to the particular company, he noted.
Lowry cited a situation with which he was familiar prior to joining Nuix: a CTO was caught taking material and was told, “We know what you're doing, but we don't want to lose you. We really value you as an employee.” Both parties agreed to certain terms going forward.
It behooves organizations at the point of hire to spell out internal monitoring policies to new employees, so they're aware they could be discovered taking what they shouldn't, Lowry said. Another is to review access privileges.
Typically, companies don't quickly terminate an employee in an inside data theft situation for fear of public reaction, such as the company's stock price being negatively impacted or its reputation damaged, he pointed out. Such a mitigation approach to the internal threat focuses on “critical value data – how many people have access to things that really matter to the company,” Lowry said.