Senior employees and company directors are putting their businesses and careers at grave risk with cavalier and blasé attitudes to cyber security, according to new statistics on insider threats produced by Egress. Its figures revealed that 78% of directors have intentionally shared data against company policy in the past 12 months, compared with just 10% of clerical staff.
Many of these intentional breaches resulted from departing employees spiriting useful data off to their new job – 46% of employees who said they or a colleague had intentionally caused a data breach had done this. However, according to the Insider data breach survey 2020, only 18% of IT leaders thought this was the most likely cause, pointing to a critical need for diligence around departing workers.
Again, the report said, director-level employees were much more likely to take data to a new job than were those lower down the food chain.
Other causes of intentional breaches were because the company had not provided the right tools to share data appropriately and securely, while a smaller number of staff were upset with their employer and wanted to cause it damage. But in every case, Egress found that director-level staff took more risks, setting the wrong tone for data protection.
Egress said it often saw that senior employees, when confronted with security technology (such as its own) that forces a change in their behaviour or impacts their day-to-day work, will try to get it removed or work around it.
The company also described a dangerous culture of exceptionalism and inflated egos among senior employees, who were often given special dispensation to bypass web-browsing filters or use their own unsecured devices.
“We looked at how more senior people behave versus less senior people and actually, frighteningly, it’s must worse,” said Tim Pickard, chief marketing officer at Egress. “These people have more access to sensitive data as they go through the business, potentially some of their access doesn’t get revoked necessarily, and so they have this huge view of company information and potentially personal information.
“We all know we’re all responsible for data security, but the more senior we get, it transpires, the more we think that it should be the responsibility of the IT security team. We know criminals know this because when they target people within organisations, they target senior people, who have access to information and their behaviour is maybe not as rigorous as somebody lower down.”
Pickard suggested several reasons why this might be the case: “More senior people tend to feel they’re above some of these things – ‘I have to get this done, I have to send this, I’m that important within the organisation that my job comes before the security of the business’, potentially’.
“Quite a high percentage of people also feel like they have ownership of the data they have worked on, which is obviously not the case, but there is this perception that people can do what they want with that data.”
Read more about insider threat
- Insider threat programs may backfire if employees feel they are intrusive and violate privacy, Forrester Research warns. Making sure these programs don’t go too far should fall to HR.
- Compromised, negligent and malicious employees put enterprises at risk. Here are six problems they pose and the insider threat prevention strategies to protect your enterprise.
- When it comes to insider threat awareness and prevention, enterprises would be wise to marry a people-centric approach with a technology-centric approach.
Pickard also suggested that people higher up tended to skip cyber security training sessions, believing they already knew it all anyway. “A behavioural psychologist we worked with talked about the Dunning-Kruger effect – essentially, people who have a small amount of information think they are much more knowledgeable than they are,” he said. “This is a form of bias that we all have and maybe people who have been in the organisation for a long time think, ‘actually, I know all I need to know about security’.”
But security administrators are not completely absolved from blame, said Pickard, adding that because security people tend to sit lower down in organisational hierarchies, they are constrained by an organisational culture that makes them reluctant to call out senior employees for poor security hygiene.
The full report was compiled by independent researchers at Opinion Matters, who interviewed 500 IT leaders and 5,000 employees in Benelux, the UK and the US during January 2020. It, revealed a messy picture, conflicting views on many aspects of organisational data protection, discrepancies between risk perception and cause, and downright erroneous, even reckless views.
Egress CEO Tony Pepper said the report’s various findings showed that IT leaders were resigned to the inevitability of data breaches and so did not have adequate risk management in place.
“While they acknowledge the sustained risk of insider breaches, bizarrely, IT leaders have not adopted new strategies or technologies to mitigate the risk,” he said. “Effectively, they are adopting a risk posture in which at least one-third of employees putting data at risk is deemed acceptable.
“The severe penalties for data breaches mean IT leaders must action better risk management strategies, using advanced tools to prevent insider data breaches. They also need better visibility of risk vectors – relying on employees to report incidents is not an acceptable data protection strategy.”