In the past few years, rapid growth in the volume of sensitive information combined with new technologies has chipped away at the effectiveness of traditional endpoint protections and network perimeter security. In tandem come warranted concerns about the number and types of employees who have access to sensitive data. While Edward Snowden may be viewed as the “insider threat” poster child, not all employees have malicious intentions. Simply by having access, privileged insiders may unwittingly put data at risk – or be used by an outside actor as a conduit for siphoning data.
The 2015 ITR statistics from U.S. organisations polled are sobering:
· 93% of U.S. respondents said their organisations were somewhat or more vulnerable to insider threats
· 59% of U.S. respondents believe privileged users pose the biggest threat to their organisation
· Preventing a data breach is the highest or second highest priority for IT security spending for 54% of respondents’ organisations
· 46% of U.S. respondents believe cloud environments are at the greatest risk for loss of sensitive data in their organisation, yet 47% believe databases have the greatest amount of sensitive data at risk
· 44% of U.S. respondents say their organisation had experienced a data breach or failed a compliance audit in the last year
· 34% of U.S. respondents say their organisations are protecting sensitive data because of a breach at a partner or a competitor
“Vormetric’s 2015 Insider Threat Report indicates nearly all of U.S. organisations polled perceive a security vacuum and feel quite threatened,” said Andrew Kellett, lead analyst for Ovum and one of the architects behind the report. “As much as we may have hoped to believe it, the Edward Snowden affair was not our data security pinnacle. According to the report, almost half of U.S. organisations polled experienced a data breach or failed a compliance audit in the past year – which tells us the situation has probably gotten more complicated.”
In 2014, the U.S. saw some of the worst data breaches in recent memory with household names Sony, Home Depot, J.P. Morgan Chase and Supervalu experiencing massive financial and reputational blows due to cyber-attacks. According to the Identity Theft Resource Center, over 700 data breaches occurred in 2014 alone, up from 614 in 2013. With these breaches have also come associated legal ramifications and public soul-searching by senior management and board level executives about where to place the blame.
“As the past year demonstrates, these threats are real and need to be addressed,” said Alan Kessler, CEO for Vormetric. “Organisations wishing to protect themselves must do more than take a data-centric approach; they must take a data-first approach. Although we are heartened that 92% of organisations plan to maintain or increase their security spending in the coming year, our larger concern is about how they plan to spend that money. The results indicate there is still disagreement about where corporate data, which is most at risk, actually resides. Our experience, observations and conversations with customers have taught us that even if the situation isn’t entirely black and white, organisations’ use of encryption, access controls and data access monitoring greatly reduce their risk and exposure.”
U.S. attacks have received the lion’s share of attention due to their size and high profiles, but worries about data security are not limited to America. According to the report:
· Despite a rash of data breaches among organisations that were considered compliant, 59% of global respondents found compliance standards to be “very” to “extremely” effective
· 55% of global respondents believe privileged users are the biggest threat. In the U.S., that number is slightly higher, with 59% citing privileged users. And while 46% of U.S. respondents believe partners with internal access pose the second-highest threat, global results point the finger at contractors and service providers
· The top 3 reasons for protecting sensitive data among those polled globally are as follows:
o Reputation and brand protection (51%)
o Compliance requirements (50%)
o Implementing best practices (38%)
· 54% of global respondents will increase security spending to offset the threat in the coming year
The current global reality is that more and more data is being stored in various repositories all over the world and more and more players – such as third party service providers and contractors – are being thrown into the mix. Although respondents generally believe compliance standards to be effective, these standards run the gamut from weak to very stringent. Companies can and should go above and beyond compliance and take common sense measures to protect themselves, including:
· Implementing encryption and access controls
· Taking careful stock of which employees should have access to data
· Diligently monitoring data access activities to get ahead of infiltrations before they snowball