Friction between management and employees exacerbates insider threat

The gulf between employees and IT leaders

Questioning both IT leaders and employees on the intent behind insider breaches, the Egress Insider data breach survey 2019 has uncovered a huge disparity between the two groups, illustrated by a lack of trust displayed by executives towards their employees.

For example, 79% of IT leaders believe employees have put sensitive company data at risk accidentally in the past 12 months, but 92% of employees countered this by saying they haven’t accidentally broken company policy when sharing information.

In addition, 61% of IT leaders think employees have put sensitive company data at risk maliciously in the past 12 months, but 91% denied intentionally breaking company policy.

This chasm, combined with the rapid growth in unstructured data and the ways in which employees can now share data, has the potential to derail an organisation’s security programme.

When asked to name the top three causes for insider breaches, IT leaders put rushing and making mistakes at number one (60%), followed by a general lack of awareness (44%) and lack of training on the company’s security tools (36%).

From an employee perspective, out of those who had accidentally shared data, almost half (48%) agreed they had been rushing, but 30% blamed a high-pressure working environment and 29% said it happened because they were tired.

The most frequently cited employee error was accidentally sending data to the wrong person (45%), while 27% had been caught out by phishing emails. More worryingly, more than a third of employees (35%) were simply unaware that information should not be shared, pointing to an urgent need for effective employee education around responsibilities for data protection.

It is also worth pointing out that 55% of employees that intentionally shared data against company rules said their organisation didn’t provide them with the tools needed to share sensitive information securely.

This implies that, while IT leaders seem to have low expectations of their employees when it comes to putting data at risk, they are failing to effectively provide the tools and training needed to prevent a data breach from happening in the first place.

What should organisations do now?

So, how can organisations bridge the divide between employer and employee when it comes to data security? The answer lies in a combination of technology, workplace culture and training.

The answer is not for the IT department to curb “reckless employee behaviour” by placing restrictions on how they handle data. This can have a negative effect on employee productivity, and any restrictions may be circumvented altogether if the user finds they are hindering their work.

Organisations should already know they need to implement security solutions that are easy for employees to work with. It is also important to provide them with the right technology to do their jobs effectively, so they don’t feel they need to turn to non-sanctioned solutions such as file-sharing platforms, for example.

Employees need to be able to rely on the security solutions in place; they should act as a safety net – being able to detect when someone is about to accidentally cause a data breach and preventing this from happening in the first place.

Should IT or the organisation ever try to remove these tools, there should be general outcry from employees (much like if you tried to remove email today) – and if there isn’t, it’s clear these tools aren’t providing enough benefit. 

Similarly, employees must understand data ownership – 29% think they have individual ownership over company data, and 60% don’t think their employer has exclusive ownership over it – so it is essential to effectively communicate company policies, as well as those put in place by data privacy regulations such as the General Data Protection Regulation (GDPR).

But addressing the initial “why” behind a breach is just as important as any other solution. Management needs to address why employees are tired or rushing due to the pressure of the job, and consequently making mistakes.

They can then implement changes to reduce these contributing factors and, in turn, lessen the risk of data loss. It is also important that an organisational “blame culture” doesn’t drive employees to hide any unintentional breaches.

Similarly, there needs to be better interaction between CISOs and the rest of the C-suite, so they can describe the insider threat in a way that’s quick and easy to understand.

While “employee trust” should not be used as a foundation for security, IT leaders must work to address and resolve any underlying workplace or behavioural issues. Alongside enforcing data policies and implementing security tools, this will lessen their chance of becoming the next victim of a data breach.