We’re never going back to a world where all employees work from the office 100% of the time. Organizations have seen first-hand that it’s possible to sustain mass remote working indefinitely, and most employees are now pushing for a flexible future.
This new world is only possible because it has scalable digital communication as its backbone. In our recent survey of 3000 remote employees based in the UK and the US, they all acknowledged they’re using digital communication more. Email leads the way with increased usage by 85% of employees, followed by video conferencing solutions (77%) and chat apps like Microsoft Teams (77%).
The more digital content employees are sharing, however, the more likely it is that an insider data breach will occur. This is especially true for email. Four in five (80%) of employees say they use email to communicate sensitive data both internally and with clients, and 83% of organizations have experienced an email security incident that put data at risk in the last 12 months.
This insider risk is something that organizations need to urgently address – and here’s how they can do that!
Understand Why People Put Data at Risk
Most insider data breaches occur because of human error or people ‘breaking the rules’, sometimes with the best of intentions! If we take email as an example, the most common ways people inadvertently put data at risk is by falling victim to a targeted phishing attack, adding a wrong recipient or attaching a wrong file. When it comes to breaking the rules, this typically happens when someone either cuts a corner to avoid using the security solution they’ve been provided with (perhaps because their recipient doesn’t like using email encryption) or when they’re intentionally exfiltrating data.
These incidents all hinge on an individual person’s behavior. Understanding this means you’ll be better equipped to knowing what security strategies and technologies you need to put in place.
Carry Out an Insider Risk Audit
Most organizations don’t have a full grasp of their insider risk exposure. Employees are constantly creating and sharing digital content, and it’s difficult for organizations to have total visibility and control over every information flow without locking channels down and impacting productivity.
Understanding where risks are originating in your organization is the first step to mitigating them. As a first step, start with the most common channels employees use to share data. Our research shows this is email – so you need to run an investigation tool that can tell you how many times data has been put at risk because it was accidentally leaked, not adequately protected in transit, or exfiltrated. Once you have this insight, you can put together a proactive program for risk management.
Run Cyber-Education Programs – But Accept They Won’t Fix the Problem Alone
Every company should run cyber-education programs focused on helping people detect and deal with risks in the real world. These programs alone, however, are not enough.
If we could train beyond human error, none of us would ever make any mistakes! When we’re tired, stressed and feeling under pressure, security training is unfortunately pushed to the back of our brains to make space for the other faculties we need to simply get through a task or project. And right now, 73% of employees are experiencing negative emotions because of remote working and the pandemic. That means three-quarters of your employees are rushing through tasks to be as productive as possible, and too tired or stressed to spot when they make a mistake!
Education can reform a rule breaker in some instances – but it’s rare. Rule breakers have already done their cost-benefit analysis and decided that cutting security corners is a ‘calculated risk’ they’re willing to take to enhance their productivity. Similarly, the individual intentionally exfiltrating data will have their sights set on the payoff – whether that’s being able to take client data to get a head start at a new job or a financial reward offered by a competitor.
Upgrade Your Technology Stack
Finally, you need to put in place technology that can act as a safety net to keep employees on the right track as they share data, stopping inadvertent and intentional leaks, and alerting administrators to areas of high risk.
As insider data breaches are dependent on people’s behavior, you need a solution that can dynamically adapt to individuals in real. The only way to achieve this is through machine learning that looks at the context of what an employee is doing and understands the risk to sensitive data, spotting mistakes when cyber-education has gone out of the window and catching rule breakers before the damage is done.
Getting your approach to insider risk right will offer immediate value from day one – but it will be invaluable for what lies ahead, securing employees wherever they happen to be working.