Insider threats. They’re complicated, blurry lined, political and in the minds of most organizations, completely and utterly unavoidable. The recent Ponemon Institute study shed some really interesting light, providing insight into the reality of the situation. The report showed that overall there is a definite lack of control when it comes to how and which employees should have access to the company’s most sensitive information.
Before we delve into some of actual findings from the report and address the implications, lets take a look at the different kinds of insider threats:
The “I’ll get you back” ex employee– This is an actual employee who’s ego has been hurt in some way. They’re angry, and use their access (access that they should no longer have) to damage the company.
The “Camoflauger” – This is an outsider who has gained access to an existing or ex employee’s credentials and can now access company data as if they were an employee. Their intent is to steal.
The “D’Oh!” Employee – This employee accidentally placed sensitive corporate data in harms way either by failing to comply with company data protection regulations (if they even exist) or through general careless treatment of data.
Mo’ Access Mo’ Problems…
71%. That’s how many employees have access to company data that they shouldn’t be able to access. To me, this is the most striking number from the entire report. If you think about, the greater the number of people who have access to sensitive data, the greater the chance of an attack actually occurring. This is because in most cases the attack surface becomes too big for most IT teams to protect. The number of profiles, screen names, and passwords can add up. The old principle of “less is more” works well here as less access means more security.
The situation is even more complicated by the fact that employees need access to data for business to take place and to be successful. The trick is finding out exactly how many people need access to information. Sigh.
80% of IT security teams do not enforce a least-privilege data model. Least-privilege meaning only people who need access have access. With this reality, there is no question as to why such a high number of employees can still use their old passwords. This is a “camoflauger’s” dream situation with tons of profiles to send phishing attacks to, gain access to, and to wreak havoc upon.
The data explosion also lends a helping hand to cyber criminals. In fact, 73% of users feel that the data deluge of emails, multimedia files etc. makes it harder to find and access information. 36% of employee time is spend searching for and consolidating information. Personally, I think this influx of data causes people to find ways of organizing data so that they can make use of it. Employees build folders and organize the data, often using apps like Dropbox and Box and then sharing with other coworkers. Companies don’t always have control of what data can be uploaded to these apps. Cyber criminals benefit from this greatly as they now have more surface area to attack. More evidence of the human factor of data security I suppose.
The Blame Game – 47 vs. 47
Only 47% IT practitioners feel that employees take the necessary steps to make sure confidential data is secure. Conversely, 47% of end users believe that the organization does not strictly enforce policies against misuse or access of sensitive company data. Nice.
When it comes down to it, who really is to blame? Is it the employees who should be more careful when downloading and uploading sensitive data? Or the IT practitioners who need to put more stringent data privilege regulations in place?
I would love to hear your thoughts in the comments section below.
Product Marketing Manager @Bitglass