While external threats present an ever-present risk for large and small enterprises, according to a newly released report, the actions of a company's own employees, suppliers and partners pose more of an immediate danger.
The annual Clearswift Insider Threat Index (CITI), which surveyed more than 500 IT decision-makers and 4,000 employees across the U.S., U.K., Germany and Australia, examines the risks insiders pose to their organizations and why firms have been slow to address internal security threats.
Although workers responded that they're aware of the significance of data protection, actually taking the necessary steps to ensure security in the workplace becomes less of a priority for them as they seek to perform their job functions efficiently. In fact, 40 percent of firms expect a data breach in the next 12 months as a result of employee behavior, and employees indicated a widespread lack of awareness of good cybersecurity practice.
The consequence is that over the last year, 78 percent of breaches have originated from within the extended enterprise (including contractors and ex-employees), the report found.
Employee awareness is a major part of the problem:
92 percent of organizations in the U.S. have experienced a data breach on some level in the last 12 months – of these, 40 percent say they have seen growth in the number of internal breaches.
75 percent of global employees believe their company provides inadequate levels of information about data policies and what is expected of them.
58 percent of global employees lack understanding of what might actually constitute a security threat from within their organization.
72 percent of global security professionals believe internal security threats are still not treated with the same level of importance as external threats by the Board.
50 percent of global employees admit that they disregard data protection policies at work in order to get their job done.
73 percent of breaches have originated from within the extended enterprise globally in the last year.
The researchers call for more education and training to prioritize data accountability and to drive home internal data security set as a core business objective. Striking the right balance between productive work habits and safeguarding enterprise data is key to achieving a more robust internal security culture, the researchers claimed.
“Companies with good, existing data protection habits and a well thought through data security policy are in better shape to survive a breach, whether internal or external," Heath Davies, CEO at Clearswift said in a statement. "The insider threat represents a ticking time-bomb for businesses and one, it seems, that they are unprepared for.”
And the insider threat comes in many forms, some malicious, but the vast majority unintentional. Indeed, 62 percent of security incidents which arose within the extended enterprise originated from either inadvertent or accidental behavior, with 38 percent of security breaches caused by deliberate or malicious activity.
The rapid rise within the enterprise of workers using their own devices to conduct business has brought convenience and cost-savings, but also has introduced a new form of security concern, the biggest being a lack of awareness around data security issues (68 percent), an increase in use of personal cloud apps (64 percent) and an increase in viruses brought about by personal devices (60 percent). With workers preferring to use their own devices over company certified technologies, IT departments are suffering, the report found, as they lack the visibility needed to detect and protect against potential internal threats.
Creating further risks is the explosive growth of social media – with its complementary void of definitive guidelines. Eighty percent of those surveyed believe social media has exacerbated the internal security threat for many companies.
Another key factor in controlling the risk from insiders is convincing top executives and the board of the importance of internal threats, the report found. Despite survey results indicating increased awareness of the risk from internal threats, this sentiment was not shared among top executives, with 78 percent of respondents saying that internal security threats are still not treated by the board with the same level of importance as external threats.
"If employees are to guard against their own mistakes, more direction is needed from higher up the business," the researchers said.
The CITI results also substantiated a distinct disconnect between IT personnel and employees, leading the report authors to call for more training of employees in security protocols and policies. That is owing to the fact that employees are too often unconcerned about causing a data security breach within their organization, the report found. Just under a quarter (23 percent) are very concerned about causing a security breach and believe they have a responsibility to keep company data safe, an attitude that measures lower when compared to U.S. workers (36 percent). This lack of concern leads to employees becoming more complacent.
"Education, knowledge and transparency around the consequences of data security are the stepping stones needed to create a safer working environment," the report summed up. Instructing staff about how to safeguard critical information (68 percent), making workers care more about the consequences of a breach (56 percent) and increasing spend in data loss prevention tools (54 percent) are the top priorities needed to minimize the risk of internal security breaches.
"With these pillars in place, businesses can strengthen their defenses against security threats and breaches," the report concluded.