Remote and hybrid work models are no longer “new,” now that we’re two years into COVID-19 safety measures. Working remotely, at least part of the week, is here to stay for many organizations. Yet CISOs still struggle to prevent data loss, either intentional or unintentional, that occurs when employees resign.
Cybersecurity firm Code42 last month released its Annual Data Exposure Report for 2022, which surveyed 700 U.S. business executives, senior cybersecurity leaders, and cybersecurity practitioners in October 2021.
With a record number of people quitting their jobs, it’s no wonder nearly all respondents (98%) have cybersecurity concerns about departing employees.
Sixty-one percent of respondents stated that their organization has an insider risk management program in place. However, organizations allocate, on average, only 21% of their cybersecurity budget to mitigating that risk. Public sector and financial services industries lead the way in insider risk management, allocating, on average, as much as 26% of their global cybersecurity budget to combatting insider risks.
Considering the gap between need and budget, it should be no surprise that 91% of IT professionals believe their company’s board requires a better understanding of insider threats.
Cybersecurity Leaders Lack a Voice in Business Decisions
Code42’s report reveals a disconnect between business leaders and the cybersecurity teams' views on insider risk management.
The groups that were surveyed -- business leaders, cybersecurity leaders and cybersecurity practitioners -- showed differing views on what mattered most. Forty-nine percent of business leaders are most concerned about lack of visibility into the types of data that leaves with departing employees, while 52% of cybersecurity practitioners are most concerned about data saved on local machines or personal hard drives. This finding highlights a tendency for business leaders worry more about the content of the data that is exposed while practitioners worry more about how data is exposed.
Cybersecurity professionals are on the front lines of confronting insider risk and generally have a firm grasp of the scope and impact of the risk. Despite this, many may be rarely consulted by C-suite executives on how to address the problem. Fifty-six percent of cybersecurity leaders and practitioners agree that they lack a strong voice in decisions made by business leadership teams.
The report’s findings showed that boards strongly affect cybersecurity leaders’ ability to make decisions, but who’s influencing the board? Forty-five percent of cybersecurity professionals believe that the board tends to listen more to the data governance and compliance team more than it does to them.
Zero-trust security could offer a means to closely align the board and cybersecurity professionals. "The best way to close the gap between IT and management concerns is to implement a zero-trust approach,” said George Gerchow, chief security officer at Sumo Logic. “With the emergence of the cloud, there is no longer a perimeter to secure, and the focus needs to shift to protecting the never-ending streams of data.”
Insider Risk Management Priorities
According to Code42’s research, about three-fourths (71%) of respondents said they are worried about lack of visibility over what and/or how much sensitive data departing employees take to other companies. The same proportion (71%) are concerned about sensitive data saved on departing employees’ local machines, personal hard drives, and/or personal cloud storage and services. These concerns are grounded in real-world examples of employees taking data to competitors -- or even worse, using that data for criminal undertakings.
Ninety-six percent agreed that they need to improve data security training programs for employees, while 55% expressed a need for better employee training in the handling of sensitive data.
The pandemic brought about a surge in remote work, which has certainly contributed to mounting anxieties about insider risk. Ninety-seven percent of respondents said they are concerned about remote workforces. However, far fewer (43%) respondents said that improving remote/hybrid work technologies is a top-two priority for their company, suggesting a gap between concern and prioritization for remote workforce security.