This year’s Data Exposure Report (DER) from Code42 shows that Insider Risk is increasingly top-of-mind for cybersecurity leaders and a growing concern for US-based companies. Findings from the report underline the significant impact an Insider Risk event can have on a company’s revenue and reputation, making it an essential risk to mitigate effectively. Unfortunately, other findings in this year’s DER remind us just how hard it can be to address this complex problem.
The challenge of detecting Insider Risks
According to the 2023 DER, Insider Risk was ranked as the most difficult type of threat to detect, with 27% of CISOs citing it as their top challenge. Insider Risk events are often harder to identify and remediate than those originating externally. According to the DER, 75% of CISOs expect data loss from insiders to increase in the next 12 months. This is a worrying statistic, as it suggests that companies are struggling to identify and prevent data breaches from within their own walls.
Having assisted numerous organizations in trying to identify potential Insider Risk indicators, this sentiment among CISOs does not surprise me. Leaders face tough scenarios in proactively identifying risk and insider events before they happen, with many of those actions (e.g., downloading data to the cloud, emailing information outside of the organization) being common business practices.
Detecting Insider Risks is so crucial because these threats often go unnoticed until it is too late. Insiders may be engaged in risky behavior for months or even years before anyone notices, allowing them to cause significant damage to the organization. In fact, according to the 2022 Ponemon Institute Cost of Insider Threats Global Report, the time it takes to identify and contain an insider threat increased from an average of 77 days in 2021 to 85 days in 2022.
The importance of effective Insider Risk Management programs
Despite the challenges of detecting Insider Risk, over 70% of responding companies have dedicated programs for addressing this issue. However, the data suggests that these programs may not be effective in addressing the problem, as the DER’s findings show a 32% year-over-year increase in events. One challenge may be related to technologies, with 90% of companies using a mix of tools such as DLP, CASB, UEBA and others.
Many companies I have worked with have, understandably, wanted to make do with the tools they have to detect Insider Risk. Until recently, many companies didn’t have the budget to allocate to Insider Risk, largely due to a lack of awareness of the business impacts it can have and the necessity to attack the problem differently. Having seen companies across the spectrum – from those with almost no Insider Risk-dedicated technology to others with what some may consider too many tools for the problem set – what mattered most was a solid understanding of the risks present, the vulnerabilities posed by everyday business practices, and the factors at play in the business that might instigate both negligent and malicious behaviors. That is why thinking holistically, across people, processes, and technologies, is essential in building an effective program.
Regular and point-of-need-based training and education on Insider Risk are also important to raise awareness and promote a culture of security and trust. Insider Risk is not just a cybersecurity issue, but is intimately intertwined with a company’s culture and has a significant impact on the business. Creating a culture built on trust and transparency is critical for companies in today’s hybrid-remote world.
While the frequency of training has increased, the quality may not have improved. The data shows that those conducting training weekly are more likely to say that a complete overhaul is needed than those conducting it monthly. Companies must balance the frequency and quality of training to ensure that employees receive the necessary knowledge and skills to identify and prevent Insider Risk.
Looking to the future
This year’s DER underlines the importance of working smarter, not necessarily harder, to mitigate Insider Risks. While the number of technologies we can use to detect Insider Risk events is ever-growing, they aren’t a silver bullet to solving your Insider Risks. Effective Insider Risk Management programs must not forget to focus on the proactive efficacy of timely and relevant Insider Risk education, as well as tailoring the program to the culture of your organization. Without it, the time and difficulty associated with reducing Insider Risks will continue to increase.
Did You Know?
CISOs rank Insider Risk as the most difficult threat to detect
Latest data places it above cloud data exposures and malware or ransomware.