Insider risk is one of the costliest types of data breaches.

So said Ran Pugach, chief product and development officer at Ava Security, speaking during the ITWeb Security Summit 2020 yesterday. The event was held virtually.

He noted that organisations must strengthen their defences against insider risk with human-centric security.

“The rationale there is that securing an organisation starts with securing your people. You must be able to understand human and behavioural patterns to be able to protect against insider risks,” Pugach said.

“When we talk about insider risks, people sometimes jump to the conclusion of employees trying to steal data or malicious employees."

However, it is important to note that there are negligent and accidental behaviours that expose the organisations to cyber attacks.

“This involves employees that are not technical experts either using a USB stick or using unsecured WiFi networks; not being aware of the actual risk they will be exposing themselves to.”

He said the majority of insider risks are caused by lack of competence or user error. However, he said, it gets worse when it involves disgruntled employees, malicious insiders or irresponsible third parties.

Nonetheless, Pugach pointed out that the majority of organisations are mostly concerned about the risks coming from the outside.

“But we all know that most hackers today don’t hack; they gain the credentials and they start behaving just like an insider. So organisations tend to overestimate the impact of malicious outsiders but what the outsiders want is simply what the insiders already have – the privileges.”

Pugach cited a recent report that found that 59% of the employees admitted to taking intellectual property (IP) with them when leaving an organisation, while the average cost of an IP theft or sabotage incident is $756 000.

Thus, he said: “Securing your organisation starts with your people. Understanding human and device behavioural patterns is essential to protecting against insider risks, be they malicious, accidental or negligent.”