More bad security news from the Great Resignation: Code42’s new research on Wednesday said that when employees quit their jobs, there’s now a 37% chance the organization will lose intellectual property.
The research also adds that some 96% of all companies surveyed say they have experienced challenges in protecting corporate data from insider risks.
Despite acknowledging the issue, only 21% have a dedicated component to mitigate insider risk and the vast majority of senior cybersecurity leaders — 91% — still believe that their company board members need a better understanding of insider risk.
“With employee turnover and the shift to remote and collaborative work, security teams are struggling to protect IP, source code, and customer information,” said Joe Payne, president and CEO at Code42. “This research highlights that the challenge is even more acute when one-third of employees who quit take IP with them when they leave. On top of that, three-quarters of security teams admit that they don’t know what data is leaving when employees depart their organizations.”
The turnover of cybersecurity employees increases the risks associated with the Great Resignation, added Kevin Dunne, president at Pathlock. Dunne said as more employees leave companies with a broader level of access, the number of tasks related to deprovisioning user accounts has dramatically increased.
“With a smaller number of cybersecurity professionals in place, the backlog of deprovisioning tasks is growing and means a longer delay between an employee's end-of-service and the removal of their access rights,” Dunne said. “The longer the ‘hangover’ period, the greater risk exposure the company has. The only solution to this problem in the short term will be to apply automation wherever possible, to expedite and fool-proof the deprovisioning process for departing employees.”
Archie Agarwal, founder and CEO at ThreatModeler, said when organizations model the threats to their business, they consistently underestimate insider threats for two reasons: vulnerability within their infrastructure or applications can allow an outsider to assume insider accounts or roles (sometimes privileged); and no organization has 100% employee retention, so insiders become threat agents when their relationship with the organization changes. Taken together, Agarwal said these two possibilities reflect substantially higher probability of insider threats being realized than security groups initially estimate.
“It’s not so much that an organization’s cybersecurity is lax — many organizations have made great strides in the last few years towards a more secure posture,” Agarwal said. “However, when an organization’s business practices change (such as sending workers home from the office), the hard-fought security controls implemented may no longer be in play. Put simply: the threat model changes. When this occurs, organizations should reevaluate who can access their systems, from where that access occurs, and what possible opportunities for misuse or abuse have opened up. The key is for organizations to detect that business practices have changed and have an easy way to triage their impact to posture.”
Part of the difficulty companies have in detecting insider threats is that they are dealing with individuals who have been granted legitimate access to the data they are exfiltrating, said Kevin Novak, managing director at Breakwater Solutions.
Novak said security programs for most firms are designed to protect the confidentiality, integrity, and availability of data from individuals who don’t have legitimate access. He said the way to understand if a legitimately entitled individual is stealing data or otherwise violating policies or employment agreements, an enterprise must have the following:
- Data classified (manually or automatically).
- Entitlements clearly defined so that it’s understood what data an individual should have access to, and what actions that person can perform with that data.
- Tools and protocols in place to prevent that person from performing actions that are contrary to their designated level of entitlement. This often comes down to simple detect/hold technologies like DLP tools, and more sophisticated tools that detect anomalies in an individual’s behavior: they try to download an entire list of client records, even though they normally only look at one record at a time.