Some 40% of businesses believe they’ll suffer an insider breach in the next 12 months, with many more claiming their company doesn’t do enough to raise awareness of cyber threats, according to Clearswift.
The DLP firm polled 500 IT decision makers and 4,000 employees in the US, UK, Germany and Australia to compile its 2015 Clearswift Insider Threat Index.
It revealed that, aside from the plurality who believe they’ll suffer an insider breach soon, 75% of employees don’t think their organization provides enough info on data protection policies.
A further 58% don’t have enough understanding of what a security threat might look like, while half said they ignore data policies at work to get their jobs done.
The data chimes with other findings from the research already reported including the fact that a quarter of employees would be happy to sell critical company data for as little as £5,000.
It also emerged from this research that HR and finance staff members are regarded as the biggest threat to data security as they run the risk of sending sensitive information to the wrong people or accidentally downloading malware onto machines.
The insider threat has been highlighted many times before. Pwc’s 2015 Information Security Breaches Survey claimed that 10% of UK breaches were down to malicious staff members or contractors, while 26% was down to accidental abuse by these employees.
That’s the highest single cause of breaches listed in the survey, above third party suppliers (18%) and organized crime (23%).
The problem for CISOs is that mitigating the insider data security risk is difficult, and requires attention to people, process and technology.
Clearswift SVP of products, Guy Bunker, argued that it can be tricky persuading the board of the need for greater investment in data loss prevention because of ‘FUD’ (fear, uncertainty and doubt).
Security vendors and personnel talk about the threat and the need for such and such a solution to mitigate it—but if the threat doesn’t manifest itself inside the specific organisation, then it is seen as a ‘waste of money’,” he told Infosecurity.
“Security solutions can also be seen as ‘insurance’ and expensive insurance at that. The challenge for the CISO et al is to be taken seriously. They need to put forward a case where cost effective security solutions can be deployed to provide ‘everyday value’.”
CISOs need to sell security to the board as a “value added business enabler” rather than mere insurance, he concluded.
Photo © Alex-Po