RISK

NEWS

Data breaches: employees are your greatest risk

20 Jul 2021

Insider risk poses the greatest threat to data protection in any organisation, according to a new report, Insider Data Breach Survey 2021, from egress.

Every IT leader knows the potential impact of a data breach, but many are worryingly underprepared when it comes to their own people, it finds.

“That’s because insider risk is the most complex cybersecurity issue they have to solve. People create risk every day. They are vulnerable to targeted phishing attacks and being hacked; they make mistakes, such as misdirecting sensitive emails; and they break the rules, often just to make their lives a little easier (and sometimes for personal gain).”

A data breach is a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to data. Breaches can be both accidental and deliberate. Data breaches can include:

  • Access by an unauthorised third party.
  • Deliberate or accidental action (or inaction) by a controller or processor.
  • Sending personal data to an incorrect recipient.
  • Theft or loss of computing devices containing personal data.

In order to handle insider breaches, IT leaders need to gain a firm grasp on insider risk and put an effective strategy in place to mitigate it. The survey shows that 97% of IT leaders are already aware of the problem. But these anxieties aren’t easing as time passes, and the figures around breach numbers show that IT leaders are right to be concerned. Ninety-four percent of organisations have had a data breach in the last 12 months, 84% have suffered a breach directly from human error and almost three-quarters (73%) have experienced a phishing breach.

Why are malicious insiders the biggest concern?
The report finds that, according to IT leaders, the biggest concern is not simply the bad taste left by a formerly trusted colleague turning rogue and deliberately doing harm, it’s that they believe single incidents of malicious exfiltration will have the greatest negative impact. says the report:

“There’s also personal gain motivating malicious insiders, so their actions are typically well-targeted to harm the organisation. This can be the damage done from the incident itself or from further incidents if the data is given to cybercriminals, or some form of payday from hackers, competitors or even nation states.”

Three motivations behind malicious breaches worry IT leaders equally:

  • Taking data to a new job.
  • Leaking data to cybercriminals.
  • Leaking as part of a nation-state attack.

The general consensus from IT leaders is that insider breaches are an ongoing and complex challenge. Despite malicious exfiltration standing out as the number one fear and email remaining the riskiest point of origin, concerns were spread widely in the survey results.

The report advises that email is still the riskiest channel as it’s easy to make a mistake and accidentally misdirect an email. If someone was going to (maliciously or otherwise) exfiltrate data, the chances are they’ll simply email it to their personal account. On top of that, email remains the most fertile hunting ground for phishers. IT leaders clearly recognise email is a problematic channel, but it’s fast, familiar, productive – and going nowhere. That means it’s not a simple problem to solve, as evidenced by the failure of traditional email data loss protection solutions to stop breaches.

The new way of working
Remote working and the knock-on effects on data loss are here to stay – and it’s a concern for IT leaders. Fifty-six percent believe remote working has had a direct impact on human error incidents in the past 12 months, and 54% believe it will make preventing breaches harder in the future.

Do employees see themselves as risks?
The following stats show an interesting disconnect between how often insiders believe they come across threats and what’s being reported by organisations. Only 39% recount having seen instances of accidental email first-hand – which is low given the frequency of incidents described by IT leaders. Phishing is a little higher, with 55% saying they or a colleague have received at least one phish in the past 12 months – although, 73% of respondents also said they’ve never fallen victim to a phishing email themselves. The view from IT leaders is clear. Insider risk is a serious problem, and they’re being breached in a variety of ways.

Who’s responsible for data security?
While IT leaders would think that data security is seen as an organisation-wide effort, egress’ report reveals it’s not always that simple:

“It can be an interesting debate as to who has the ultimate responsibility for securing data. Our respondents were divided on the issue – suggesting employees simply aren’t clear on where the final responsibility for securing data lies.”

Read further information on the report’s findings here.