Overlooking insider risk could prove costly
Insider risk is one of the biggest threats to company IP and customer information, yet organisations tend to focus more time defending against malicious outsiders than on bolstering insider education.
This is according to Ava Security GM: UK/MEA and Australia Nick Maxwell, who was speaking during a webinar hosted by Ava Security in partnership with ITWeb earlier this month.
Maxwell said: “There has been a huge uprise in phishing attacks in recent months, with 28 million cyber attacks in South Africa this year alone. This is partly because of increased vulnerability caused by undereducated employees working remotely.”
An untrained workforce does not know how to keep themselves safe when working from home, which is an environment in which people let their guard down, he said. "We need more safety measures in place and we need staff to be more aware.”
Insider risk is one of the costliest types of data breaches, he said. “A recent Ponemon global report on the cost of insider threats shows that the cost of insider threat has grown to $11.5 million dollars – up 57% in the past two years.”
He said it was cause for concern that 59% of employees admit to stealing intellectual property when they leave an organisation, and that despite regulations stipulating how quickly organisations need to report on breaches, over a third of insider incidents are not contained within 90 days.
Not all insider breaches are malicious, he noted: “Employees unknowingly or unintentionally expose their organisations to breaches by browsing risky Web sites, downloading malicious files, accessing confidential data through unsecured Wi-Fi networks, and inserting USB sticks containing malware.”
Maxwell said security teams faced a number of challenges in preventing breaches: giving remote workers access to resources increases risk, the perimeter boundary is changing and shadow IT increasing, and cyber security skills are in short supply.
To reduce risk, organisations must take a human-centric approach to security, he said.
“Crucially, organisations must educate and empower their first line of defence – their people. They need to continually educate, monitor and measure, and improve their security posture. They also need to be able to prevent sabotage, protect data at creation, in motion and at rest against known and unknown entities, and accelerate threat hunting,” he said.
Ultimately, security has to be everyone’s responsibility. “It should not be only IT’s responsibility. But if you don’t educate, empower and enable end users to make better decisions, and enforce security best practices, the responsibility will rest solely on IT."