There were numerous watershed moments in the tech and business world over the last year and a half In the beginning of the pandemic, adaptability was a necessity. Organizations did what they could to maintain continuity as they lost the structure of physical office space and gained hundreds and thousands of makeshift home offices. Employees found creative ways to collaborate with dispersed colleagues . Persevering and improvising through a crisis is one thing. But maneuvering through the post-pandemic era comes with its own challenges.
In January 2021, Microsoft CEO Satya Nadella predicted a “second wave of digital transformation sweeping every company and every industry” as companies aggressively target growth. This second wave presents an opportunity: resilience building. Enabling a fast-paced, cloud-powered collaboration culture is critical to rapidly growing companies – positioning them to out-innovate, out-perform and out-smart their competitors.
But when business leaders focus on achieving this level of digital velocity, they often overlook how business and cybersecurity are fundamentally entwined. As a result, many organizations deprioritize one rapidly growing cybersecurity challenge that can have direct ramifications for the business at large: insider risk.
Insider Risk: The Business Problem You Can’t Ignore
Insider risk is defined as any user-driven data exposure event – security, compliance or competitive in nature – that jeopardizes the financial, reputational or operational well-being of a company and its employees, customers and partners. Thousands of these events occur every day, stemming from accidental user error and employee negligence, to actual malicious users.
How bad is the problem? Aberdeen Research studied the impact of failing to manage insider risk. They found that:
- 1 in 3 reported data breaches involve an insider – and about 80% of those are not malicious but unintended
- A breach was 4.5x more likely to happen on an endpoint like a laptop than on a server
- The cost of a insider data breach can be as much as 20% of a company’s annual revenue
These numbers show that current efforts to prevent data leaks and theft are not working as well as they need to be. It’s also clear that Security Education & Awareness programs are falling short. Simply focusing on mandated compliance training stops short of changing behaviors. On top of that, many security teams struggle with establishing an insider risk management program. In most cases, they don’t know where to start nor have the metrics to justify it.A good start is to look at the sort of situations that lead to insider risk.
When Are You Most Exposed to Insider Risk?
Insider risk to data is often triggered and/or elevated at times of organizational change. Why? Organizational change drives employee uncertainty, which leads to anxiety, which leads to mistakes, which results in increased insider risk. Here are a few examples that happen across organizations of all sizes:
- Pre/Post Merger or Acquisition (M&A) and Initial Public Offering (IPO): These elevate the risk of data loss and theft because they commonly trigger employee reorganizations, redundancies, and layoffs. Employees may also leave voluntarily due to worries about their job security.
- Pre/Post Leader & Org Change, Layoffs: Changes in executive leadership and/or restructuring efforts are common, but such changes put corporate data at increased risk. When leaders change and employees move to new teams or inherit additional responsibilities, they gain access to new information and systems.
- Pre/Post Culture, Tech, Policy Changes: The ever-changing dynamics of corporate culture, technology and policy are often a trigger for insider risk. A good example of this was the shift to remote work during the pandemic, when there was an 85% increase in the likelihood of employees leaking data.
- Product Launches, Customer Deals, Partner Contracts: In fast-moving organizations where time to market, revenue and value are paramount, employees are creating, sharing, and moving data every second of every day. The hidden risk in time-sensitive projects is – what happens if the information goes public before the official announcement?
During times of heightened data sensitivity, the right people, processes and technology must be in place to prevent insider risk. An important element of this is what is called Security Education and Awareness training. Traditional programs focus on annual or semi-annual employee education to meet the demands of Compliance. Or they consist of surprise simulations aimed to catch employees falling for phishing attempts. But to achieve more holistic and necessary change, employee training must focus on reducing insider risks. By empowering a more risk-aware workforce, organizations can reduce accidental and negligent employee data leaks, while also measuring, reporting and improving their insider risk posture.
Insider risk is no longer an unrecognized business risk – it’s an impediment to growth, innovation, sales and conducting business. Business leaders need to start seeing security strategies like insider risk management as a competitive advantage — a key to unlocking the full growth potential of this next wave of digital transformation.
This story was produced by WIRED Brand Lab for Code42.
