• United States



Shweta Sharma
Senior Writer

Data loss from insider events increase despite IRM programs, says study

Mar 28, 20235 mins
Data BreachRisk Management

Insider risks are difficult to detect, manage and mitigate and can easily evade lackluster, low-budget insider risk management programs with an inadequate training regime.

Insider threats  >  Employees suspiciously peering over cubicle walls
Credit: Thinkstock

A vast majority of companies are struggling with data losses from insider events despite having dedicated insider risk management (IRM) programs in place, according to a data exposure study commissioned by Code42.

The study conducted by Vanson Bourne, an independent research firm for technology companies, interviewed 700 cybersecurity professionals, managers, and leaders in the US between January and February.

"Insider incidents are growing and it's not surprising as we have settled into a hybrid-work arrangement," said Joe Payne, president and CEO of Code42. "Everything being digitized these days, irrespective of the business you are in, makes for a very easy passage of data by simply clicking through desktops, either intentionally or accidentally."

The study revealed an average 32% year-on-year increase in data losses from insider incidents, costing each organization about $16 million per incident. Insider incidents include data exposure, losses, leaks, and thefts originating internally from an existing employee of an organization.

Insider risks are the most difficult to manage

More than 82% of CISOs admitted being concerned about the insider risk problem in their organizations and the data loss associated with it.

"Employees, partners, and contractors all are provided with access at various levels with different degrees of sensitivity, but the behaviors of the users are not actively monitored," said Paul Furtado, an analyst at Gartner. "IT security spends are mostly focused on external threats and securing the perimeter from bad actors. Trusted, internal users don't always have the same level of preventative data protection controls in place and violations often are only discovered once something has occurred."

Detecting a data loss from an insider event presented even greater challenges as 75% CISOs said they failed at doing so in their companies.

"Insider risk is pervasive across all industries and can span a wide range of potential impact from brief downtime to total loss of data," said Jimmy Mesta, co-founder & chief technology officer at KSOC, a real-time Kubernetes monitoring company. "Increasing complexity within corporate IT infrastructure and cloud adoption have made insider risk nearly impossible to detect in some circumstances. Insider risk isn't always intentionally malicious, which can make detections extremely challenging."

For an instance, a command line change targeting a public cloud account can open up a host of private databases to the internet without triggering a suspicious event log, Mesta said.

CISOs ranked insider risks (27%) as the most difficult threat to detect, placing it above cloud data exposures (26%) and malware/ransomware (22%).

Various factors leading to failed IRMs

Among 72% of participants having a dedicated IRM program in place, a massive 71% still believe they could experience insider incidents in the next 12 months. More importantly, 79% of CISOs said they could lose their job from an unaddressed insider breach.

The technologies used in these programs include some combination of IRM (97%), user and entity behavior analytics / User Activity Monitoring (97%), enterprise data loss prevention (97%), security awareness training/education (96%) and cloud access security broker (96%).

One of the reasons contributing to IRM failure is the lack of training. While a vast majority (93%) of CISOs believed the new hybrid work culture has pushed the need for security training in their company, about four out of five (79%) of them admitted the leadership team isn't placing enough attention on data loss from insiders.

Also, the companies conducting monthly security training dropped from 32% to 27% year-over-year, with data indicating that most organizations are pushing for weekly data security training.

Incidents have grown further on account of the present technologies and programs failing to detect and prevent accidental (as opposed to malicious or negligent) actions. Most of the respondents regarded "accidental" to be the most concerning insider event type as they cited a lack of employee training for behaving in a safe and secure way as a cause for it.

"These threats (accidental incidents) typically come from a lack of "least privilege" access as well as missing detection and logging techniques," Mesta said. "Cloud misconfiguration tops the charts year after year when it comes to the most frequent security challenge as we are now dealing with the protection of APIs in the cloud that are vast and often misunderstood. Over-permission and lack of guardrails will continue to be the main source of insider risk for years to come."

More often than not, the insiders (employees) are just attempting to make their job easier by exporting data in non-approved ways or sharing it with the wrong individuals or people who do not have the requisite permission to view the data. A lot of times they don't even know they are doing something wrong, Furtado said.   

Insufficient budgets also emerged as a contributing factor as 69% spoke about a budget expansion plan for the next year.

Shweta Sharma
Senior Writer

Shweta Sharma is a senior journalist covering enterprise information security and digital ledger technologies for IDG’s CSO Online, Computerworld, and other enterprise sites.

More from this author