A vast majority of companies are struggling with data losses from insider events despite having dedicated insider risk management (IRM) programs in place, according to a data exposure study commissioned by Code42.\n\nThe study conducted by Vanson Bourne, an independent research firm for technology companies, interviewed 700 cybersecurity professionals, managers, and leaders in the US between January and February.\n\n\u201cInsider incidents are growing and it\u2019s not surprising as we have settled into a hybrid-work arrangement,\u201d said Joe Payne, president and CEO of Code42. \u201cEverything being digitized these days, irrespective of the business you are in, makes for a very easy passage of data by simply clicking through desktops, either intentionally or accidentally.\u201d\n\nThe study revealed an average 32% year-on-year increase in data losses from insider incidents, costing each organization about $16 million per incident. Insider incidents include data exposure, losses, leaks, and thefts originating internally from an existing employee of an organization.\n\nInsider risks are the most difficult to manage\n\nMore than 82% of CISOs admitted being concerned about the insider risk problem in their organizations and the data loss associated with it.\n\n\u201cEmployees, partners, and contractors all are provided with access at various levels with different degrees of sensitivity, but the behaviors of the users are not actively monitored,\u201d said Paul Furtado, an analyst at Gartner. \u201cIT security spends are mostly focused on external threats and securing the perimeter from bad actors. Trusted, internal users don\u2019t always have the same level of preventative data protection controls in place and violations often are only discovered once something has occurred.\u201d\n\nDetecting a data loss from an insider event presented even greater challenges as 75% CISOs said they failed at doing so in their companies.\n\n\u201cInsider risk is pervasive across all industries and can span a wide range of potential impact from brief downtime to total loss of data,\u201d said Jimmy Mesta, co-founder & chief technology officer at KSOC, a real-time Kubernetes monitoring company. \u201cIncreasing complexity within corporate IT infrastructure and cloud adoption have made insider risk nearly impossible to detect in some circumstances. Insider risk isn\u2019t always intentionally malicious, which can make detections extremely challenging.\u201d\n\nFor an instance, a command line change targeting a public cloud account can open up a host of private databases to the internet without triggering a suspicious event log, Mesta said.\n\nCISOs ranked insider risks (27%) as the most difficult threat to detect, placing it above cloud data exposures (26%) and malware\/ransomware (22%).\n\nVarious factors leading to failed IRMs\n\nAmong 72% of participants having a dedicated IRM program in place, a massive 71% still believe they could experience insider incidents in the next 12 months. More importantly, 79% of CISOs said they could lose their job from an unaddressed insider breach.\n\nThe technologies used in these programs include some combination of IRM (97%), user and entity behavior analytics \/ User Activity Monitoring (97%), enterprise data loss prevention (97%), security awareness training\/education (96%) and cloud access security broker (96%).\n\nOne of the reasons contributing to IRM failure is the lack of training. While a vast majority (93%) of CISOs believed the new hybrid work culture has pushed the need for security training in their company, about four out of five (79%) of them admitted the leadership team isn\u2019t placing enough attention on data loss from insiders.\n\nAlso, the companies conducting monthly security training dropped from 32% to 27% year-over-year, with data indicating that most organizations are pushing for weekly data security training.\n\nIncidents have grown further on account of the present technologies and programs failing to detect and prevent accidental (as opposed to malicious or negligent) actions. Most of the respondents regarded \u201caccidental\u201d to be the most concerning insider event type as they cited a lack of employee training for behaving in a safe and secure way as a cause for it.\n\n\u201cThese threats (accidental incidents) typically come from a lack of \u201cleast privilege\u201d access as well as missing detection and logging techniques,\u201d Mesta said. \u201cCloud misconfiguration tops the charts year after year when it comes to the most frequent security challenge as we are now dealing with the protection of APIs in the cloud that are vast and often misunderstood. Over-permission and lack of guardrails will continue to be the main source of insider risk for years to come.\u201d\n\nMore often than not, the insiders (employees) are just attempting to make their job easier by exporting data in non-approved ways or sharing it with the wrong individuals or people who do not have the requisite permission to view the data. A lot of times they don\u2019t even know they are doing something wrong, Furtado said. \n\nInsufficient budgets also emerged as a contributing factor as 69% spoke about a budget expansion plan for the next year.