Much of the attention is typically focused on building a ditch and a drawbridge to protect the castle against a hostile outside world. However, this approach neglects the fact that the crown jewels (namely data these days) are also exposed to a range of internal threats. Humans are the greatest asset of any given organisation but also the weakest link within, being predominantly unaware of their behaviour and providing ample opportunities for intruders to infiltrate. The result of a breach cannot only cost millions of dollars in short-term damages and legal fees but, also severely harm the reputation and brand recognition in the long run.
The single biggest threat: wrong user behaviour
In a recent survey, as much as 73% of organisations experienced an internal security incident, causing small and medium businesses on average up to US$40,000 per event, and more than US$1.3 million in large enterprises. With 42% the confidential data loss by employees was cited as the largest single root cause. Another 28% reported cases of accidental data leaks, and 14% intentional leaks of valuable company data. 19% confirmed that they lost a mobile device containing corporate data at least once a year.
[easy-tweet tweet=”90% of organisations encounter at least one insider threat each month.” hashtags=”IT, Security “]
Users don’t necessarily have bad intentions. The vast majority operate in good faith without even realising that they are exposing themselves as well as their organisation to cyber threats. The Skyhigh Report finds that 90% of organisations encounter at least one insider threat each month, with the average organisation even experiencing 9.3 insider threats monthly. In essence, user behaviour can be categorised into malicious activities, negligence or accidents. However, no matter what the underlying rationale ultimately was and how these incidents are being clustered in retrospect, organisations are well advised to do their utmost to prevent them from occurring in the first place.
The world is changing rapidly: The impact of digitisation
The whole notion of digitisation, a sharing economy that explicitly encourages new ways of working, including themes such as “bring your own device” (BYOD), forces IT leaders and the C-suite alike to rethink their security agenda.
There seems to be a gap regarding the share of mindset (embracing new ways of working) and share of wallet (adjusting investments to keep up with the change).
The digital revolution is hardly stoppable. It’s a running train that smashes its way through society. Only 11% of organisations are prohibiting BYOD altogether, but this attempt is likely not sustainable for long in today’s reality. Young talent, in particular, wants to use cutting-edge technology. Employee satisfaction matters and people strive for more freedom, control, and flexibility. Everyone uses mobile devices and the number of connected IoT devices (smart watches, wristbands etc.) is projected to reach billions over the next couple of years. Trying to ignore these facts by simply proclaiming a ban is doomed to fail. On that token, Microsoft already concluded in 2012 that irrespective of official policies, 67% are using personal devices at the workplace anyway.
Assuming that dispatching company-owned devices instead would entirely solve the issue is a misbelief. A report suggested that 60% of employees use company-issued mobile devices to work from home, on the road or for personal activities. However, 94% noted that they connect their mobile devices and laptops to unsecured Wi-Fi networks, thereby exposing corporate data through supposedly protected devices to various risks.
Insiders have a far better understanding of the organisation than outsiders. In a digital world, the actions of employees can have severe consequences. To a very large extent, this has to do with the inadvertent human error. Organisations must, therefore, take appropriate precautions and protect against threats from inside more than ever before.
Finding the right balance between device preference, usability and IT security is a delicate trade-off. No matter whether these devices are personally owned or owned by the company, ensuring a 360-degree protection of these devices and the contained data – at rest, in transmission and in use – remains an ongoing challenge that needs constant enhancements. Indeed, it’s quite the cat-and-mouse game.
Besides implementing tools and enforcing policies, the most effective combat strategy starts with the first line of defence – education. According to PWC’s 20th CEO survey, 53% of CEOs are to “a large extent”, and 38% to “some extent”, concerned about cyber-attacks negatively impacting their business. The tides are slowly shifting the attention of the cyber-threat increases in the boardroom. Creating awareness and a sense of urgency can be enormously powerful – especially when embraced from the top of the organisation across all levels. People love role models; hardly anything can be more effective than a championing CEO who leads by example. Or, as novelist Ken Kesey once put it: “You don’t lead by pointing and telling people some place to go. You lead by going to that place and making a case.”