Remote and hybrid work models are no longer “new” now that we are two years into COVID-19 safety measures. Remote work, at least part of the week, is here to stay for many organizations. Yet CISOs still struggle to prevent the data loss, intentional or unintentional, that occurs when employees quit.
Cybersecurity firm Code42 released its annual Data Exposure Report for 2022 last month, which surveyed 700 US business executives, senior cybersecurity officials and cybersecurity practitioners in October 2021.
With a record number of people leaving their jobs, it’s no wonder that nearly all respondents (98%) have cybersecurity concerns about leaving employees.
Sixty-one percent of respondents said their organization had an internal risk management program in place. However, organizations allocate, on average, only 21% of their cybersecurity budget to mitigate this risk. The public sector and financial services industries are leading the way in insider risk management, allocating on average up to 26% of their overall cybersecurity budget to insider risk management.
Given the gap between needs and budget, it’s no surprise that 91% of IT pros think their company’s board needs a better understanding of insider threats.
Cybersecurity leaders have no voice in business decisions
Code42’s report reveals a disconnect between the views of business leaders and cybersecurity teams on insider risk management.
The groups surveyed — business leaders, cybersecurity managers, and cybersecurity practitioners — showed differing opinions on what matters most. Forty-nine percent of business leaders are most concerned about the lack of visibility into what types of data are leaving employees, while 52% of cybersecurity practitioners are most concerned about data stored on local machines or personal hard drives. This finding highlights a tendency for business leaders to worry more about the content of the data exposed, while practitioners worry more about how the data is exposed.
Cybersecurity professionals are on the front lines of dealing with insider risk and generally have a good understanding of the scope and impact of risk. Despite this, many can rarely be consulted by C-suite executives on how to fix the problem. Fifty-six percent of cybersecurity leaders and practitioners agree that they have no say in decisions made by corporate leadership teams.
The report’s findings showed that boards of directors strongly affect the ability of cybersecurity leaders to make decisions, but who influences the board? Forty-five percent of cybersecurity professionals think the board tends to listen more to the data governance and compliance team than they do to them.
Zero Trust Security could offer a way to closely align the board and cybersecurity professionals. “The best way to bridge the gap between IT and management concerns is to implement a zero-trust approach,” said George Gerchow, chief security officer at Sumo Logic. “With the emergence of the cloud, there is no longer a perimeter to secure, and the focus must be on protecting endless streams of data.”
Internal risk management priorities
According to Code42 Researcharound three-quarters (71%) of respondents said they were concerned about the lack of visibility into what and/or how much sensitive data that departing employees take to other companies. The same proportion (71%) are concerned about sensitive data stored on local machines, personal hard drives and/or departing employees’ personal cloud storage and services. These concerns are based on real-world examples of employees passing data to competitors – or even worse, using that data for criminal enterprises.
Ninety-six percent agreed they needed to improve data security training programs for employees, while 55% expressed the need for better employee training in handling sensitive data.
The pandemic has led to an increase in remote working, which has certainly contributed to heightened concerns about insider risk. Ninety-seven percent of respondents said they are concerned about remote workers. However, significantly fewer respondents (43%) said that improving remote/hybrid work technologies is one of their company’s top two priorities, suggesting a gap between concern and priority for remote workforce security.