Cybersecurity is one of the hottest topics being discussed around our Meet the Boss roundtables. IT and security executives from global companies large and small converge on our panel discussions to discuss how every company everywhere is exposed to risk, and the attack surface is ever-expanding.
For many of us, talk of cybercrime conjures up an image of a covert hacker hiding in a dark room, infiltrating a company from a whole hemisphere away. But a worrisome percentage of breaches are actually much closer to home.
Insider Threats
While external threat actors account for 80% of all attacks, that leaves 20% of breaches being perpetrated by insiders – actors like employees, contractors, or partners – according to numbers from Verizon’s latest Data Breach Investigations Report. And, according to email security firm Tessian, insider breaches have particular potential to devastate from an exposure perspective, resulting in records exposure 10x greater than external breaches.
Consider the recent hacking of OpenSea, the world’s largest nonfungible token (NFT) marketplace. In a statement to users, the company announced that an employee at its email vendor accessed, downloaded, and stole the email addresses of OpenSea users, putting them at risk of falling victim to deceptive phishing attacks. The company warned users about “malicious actors” that “may try to contact you using an email address that looks visually similar to our official email domain.”
Indeed, insider risk makes even the most robustly fortified organizations nervous. In its 2021 Insider Data Breach Survey, security platform Egress spoke with 500 IT leaders and 3,000 employees from companies across the US and the UK. From the numbers, we see that 94% of organizations reported an insider data breach. The vast majority of those breaches (84%) were down to “human error” – sending a sensitive email to the wrong recipient, for instance, with no apparent malintent. But when surveyed about the category of insider breaches that most concern them, IT leaders agreed that it’s the purposeful, intentionally malicious behavior that worries them most.
Seeking the Maximum Amount of Damage
Take a look at this quote Egress included in their study, which conveys the concerns brilliantly: “The malicious breach is different. It’s pre-planned,” says Steve Williamson, Head of Internal Audit – Information Security & Data Protection at GSK. He goes on to tell Egress, “Malicious insiders work out the rules and thresholds of the technical safeguards an organization has in place and identify ways around them to do the maximum amount of damage they can.”
What can IT leaders do to insulate the organization against such threats?
The Human Layer
During a pair of recent Meet the Boss roundtables sponsored by Tessian, the email security company explained how critical it is to secure the human layer in the enterprise, starting with email.
Using machine learning, Tessian says an organization’s data can be turned into insight, capable of predicting whether behaviors or patterns are subversive or harmless. These safeguards can prevent data exfiltration attempts, detect misdirected emails before they’re sent, and identity phishing attempts.
But even more fundamental than tools, the IT leaders and security executives who attended these panel discussions are talking about organizational security culture. Panelists say everyone in the company must identify as part of the security solution. And that means changing outdated attitudes.
One executive from a multinational IT consulting firm shared an attitude she’s observed within several organizations, the flippant, “it’s not my job” filter that can wreak havoc when employees perceive their role through that lens.
To combat this, IT leaders on our roundtable talked about expanding the way security trainings and tools are rolled out to employees. Instead of focusing on protecting the organization, companies can focus on making employees more well-rounded and cyber-aware in general. By empowering them to be more security-minded in their personal lives, aware of fraud and scams, employees will bring that same behavior and awareness to work.
Together with the right tools to intelligently protect the organization and strengthen email security, a smarter security culture is the key to defending against any security breach – internal or external.
Want More Insight?
Continue the conversation at an upcoming GDS Security Summit, where we bring together senior IT and security leaders who are actively seeking to share, learn, engage, and find the best solutions on the market.
Or sponsor a future event! 88% of Solution Providers said the overall experience of the Digital Summit they attended was Above Average or Excellent and 88% of Solution Providers said they would be interested in sponsoring future events.
