Imperva Inc., the comprehensive digital security leader on a mission to help organisations protect their data and all paths to it, releases new data that shows organisations are failing to address the issue of insider threats during a time when the risk is at its greatest.
New research, commissioned by Imperva and conducted by Forrester, found that the majority (58%) of incidents that negatively impacted sensitive data in the last 12 months was caused by insider threats, and yet more than half (59%) of APAC organisations do not prioritise insider threats the way they prioritise external threats.
|Percentage of respondents who agreed or strongly agreed with the following statement: Our company does not prioritise insider threats/unauthorised use of credentials the way they prioritise external threats.|
“This approach is at odds with today’s threat landscape where the risk of malicious insiders has never been higher,” says George Lee, Vice President, Asia Pacific and Japan, Imperva. “The rapid shift to remote working means many employees are now outside the typical security controls that organisations employ, making it harder to detect and prevent insider threats.”
“Further, ‘The Great Resignation’ is creating an environment where there is a higher risk of employees stealing data. This data could be stolen intentionally by people looking to help themselves in future employment, or it could be taken inadvertently when an employee leaves the organisation.”
Why are organisations not prioritising insider threats? The majority of APAC respondents blame lack of budget (41%) and internal expertise (38%), but other problems abound. A third (33%) of firms do not perceive insiders as a substantial threat, and 24% say their organisational indifference to insider threats is due to internal blockers such as a lack of executive sponsorship. In fact, three-quarters (74%) of APAC organisations do not have an insider risk management strategy or policy, and 70% do not have a dedicated insider threat team.
|Internal drivers for companies who are not prioritising insider threats/unauthorised use of credentials the way they prioritise external threats.|
|Lack of budget for protection against unauthorised use of credentials||29%||43%||45%||43%|
|Lack of internal expertise||59%||32%||24%||32%|
|Lack of perceived threat||41%||32%||36%||32%|
|Internal blockers (e.g. lack of executive buy-in, no internal champion, etc.)||18%||25%||27%||25%|
|Do not have an insider risk management strategy/policy||81%||65%||69%||78%|
|Do not have a dedicated insider threat team||84%||70%||54%||76%|
The findings show that organisations are woefully underestimating the seriousness of insider threats. Previous analysis by Imperva into the biggest data breaches of the last five years found one quarter (24%) of these were caused by human error (defined as the accidental or malicious use of credentials for fraud, theft, ransom or data loss) or compromised credentials.
APAC firms are prioritising external threats over insider threats, despite the fact that insider events occur more often, says Lee, “Insider threats are hard to detect because internal users have legitimate access to critical systems, making them invisible to traditional security solutions like firewalls and intrusion detection systems. This lack of visibility is a significant risk to the security of an organisation’s data. That is why leaders need to focus on the potential threats lurking within their own network.”
The main strategies currently being used by APAC organisations to protect against insider threats and unauthorised usage of credentials are encryption (54%) and periodical manual monitoring/auditing of employee activity (44%). Many are also training employees to ensure they comply with data protection/data loss prevention policies (57%). Despite these efforts, breaches and other data security incidents are still occurring and more than half (55%) of respondents said that end users have devised ways to circumvent their data protection policies.
“If your organisation hasn’t created a focused strategy to adequately address insider risk, this needs to be a priority for 2022. An effective insider threat detection system needs to be diverse, combining several tools to not only monitor insider behaviour, but also filter through the large number of alerts and eliminate false positives. Also, as protection of a companies’ intellectual property begins at the data layer, a comprehensive data protection plan must include a security tool that protects the data layer,” says Lee.
Organisations looking to better protect against insider threats should take the following steps:
- Gain stakeholder buy-in to invest in an insider risk program. Insider risk is a human problem, not a technology issue, and must be treated as such. It is also a risk that cuts across all parts of the business. Therefore it is important to get senior executives from across the company to endorse and support the insider risk program for it to be successful. Start at the top to gain buy-in and sponsorship, then engage with leaders from HR, Legal, IT, and other parts of the organisation.
- Follow Zero Trust principles to address insider risk. Following a Zero Trust approach helps protect data and users while limiting the ability of insiders to use sensitive resources not required by their function.
- Build a dedicated function to address insider risk. Since insider risk is a human problem and very sensitive in nature, it requires dedicated resources. These may be part of the security team or, better yet, a separate dedicated function. Either way, this team needs a specific mandate for insider risk and training to recognize and respond to insider threats.
- Create processes for your insider risk program and follow them. The sensitivity of insider risk and its associated privacy concerns require that strict policies are implemented and followed. Treat every investigation as if it will end up in court and apply policies consistently.
- Implement a comprehensive data security solution. A complete solution goes beyond DLP to include monitoring, advanced analytics, and automated response to prevent unauthorised, accidental, or malicious data access. The technologies you deploy should support the processes you’ve created and the mandate for your insider risk function. Your organisation will see cost savings and a reduction of risk from business impacting security events.