Insider risk a key threat as POPIA deadline looms
With the deadline for compliance with the Protection of Personal Information Act (POPIA) only weeks away, organisations are increasingly concerned about the data security risks presented by their own staff.
This emerged during a CISO round table hosted by Ava Security in partnership with ITWeb this week.
Nick Maxwell, GM for UK, MEA and ANZ at Ava Security, said: “Organisations have seen an uptick in insider risks in the past year - whether it be due to disgruntled employees people being made redundant, people moving on from their jobs, or people becoming a little bit more desperate.”
He noted that the widespread move to remote and hybrid work had also increased the risk of insiders exposing data accidentally.
A poll of the webinar participants revealed that most were more concerned about insider threats than malicious outsiders, with 75% saying insider privilege management was their highest area for concern.
Round table participants noted that insider risk remained a challenge, despite ongoing training and awareness campaigns. End users working from home may have unsecured home networks and devices, and tend to let their guard down when they are on the road or tired, they noted.
They also expressed concern about the growing risk of criminals bribing or physically threatening staff to gain access to enterprise networks and data. They said there was a trend for some syndicates to target employees and either go to them offering ‘a bag full of money’ or putting a gun to their heads to gain their privileged access credentials.
Pre-COVID, firewalls had helped to protect data, but in the new hybrid environment, this perimeter was effectively broken, they said. In reality, employees were now required to connect from anywhere, on any device, making it very difficult to ensure data security.
“There needs to be a fine balance between creating the right employee experience and still ensuring that the data is secure from wherever they are connecting,” said Maxwell.
Noting that firewalls, network security appliances and anti-virus are not enough to prevent data loss and exposure due to insider carelessness or malicious activity, Ava Security recommends the use of user activity monitoring. Ava Reveal sheds light on how data and systems are accessed and used, with optional anonymisation for privacy. This allows organisations to identify and mitigate risk and improve employees’ behaviour through incident-based training.
Maxwell noted that multiple layers of security were necessary, and that end user training and awareness programmes remained key. “It becomes very important that you collaborate closely with your HR team from a culture perspective to ensure that your training is not just a tick box exercise, but that you are actually changing behaviours in your business to ensure that people fully understand the impact of their actions when you give them access to data within your environment,” he said.