New research carried out by data security company Clearswift has shown that, year-on-year, cyber security incidents perpetrated by those from within an organisation, as a percentage of all incidents, have fallen in the UK and Germany, two countries currently now under the ruling of the European Union’s General Data Protection Regulation (GDPR). However, in the United States, a country that’s outside of direct jurisdiction in relation to the GDPR, such threats are on the rise.
The research* surveyed 400 senior IT decision-makers in organisations of more than 1,000 employees across the UK, Germany and the US. The data has revealed that when looking at the true insider threat, which takes into account inadvertent and malicious threats from the extended enterprise – ie employees, customers, suppliers and ex-employees – this number sits at 65% in the UK, down from 73% in 2017.
Similarly, senior IT decision-makers in Germany also saw a drop to 75%, down from 80% the previous year. US respondents actually saw a rise in the insider threat (which is up to 80% from 72% in 2017).
Direct threats from an employee within the business – either inadvertent or malicious – now make up 38% of incidents. This has halted the rising threat evident in 2017 and 2015 showing 42% and 39% respectively. Threats from ex-employees account for 13% of all cyber security incidents, highlighting a clear need for better processes when employees part ways.
“Although there’s a slight decrease in numbers in the EMEA region, the results once again highlight the insider threat as being the chief source of cyber security incidents,” said Dr Guy Bunker, senior vice-president of products at Clearswift. “Three quarters of incidents are still coming from within the business and its extended enterprise, which is far greater than the threat from external hackers. Businesses need to shift the focus inwards.”
Bunker continued: “I think at the very least what the GDPR has done is ensure firms have a better view of where critical data sits within their business and has highlighted to employees the fact that data security is now of critical importance, which may be why we’ve seen a drop in the insider threat across EU countries. If a firm understands where the critical information within the business is held and how it’s flowing in and out of the network, then it’s best placed to manage and protect it from the multitude of threat vectors we’re seeing today.”
Majority of incidents not deliberate
Although internal threats pose the biggest threat risk to most organisations, employers believe that the majority (62%) of incidents are accidental or inadvertent rather than deliberate in intent. This number is slightly down on 2017 (when the result was 65%).
The insider threat was slightly less for companies with over 3,000 employees (36%), as opposed to those with between 1,000 and 3,000 employees. This is a possible indication of more robust internal processes and checkpoints at larger businesses.
Bunker added: “Organisations need to have a process for tracking the flow of information in the business and have a clear view on who’s accessing it and when. Businesses also need to ensure that employees ‘buy-in’ to the idea that data security is now a critical issue for the business. Educating them on the value of data, on different forms of data, what is shareable and what’s not is crucial to a successful cyber security strategy. Having said that, mistakes can still happen and technology can act as both the first and last line of defence. In particular, adaptive data loss prevention solutions can automatically remove sensitive data and malicious content as it passes through a company network.”
*The research was conducted by technology research firm Vanson Bourne. Over 600 business decision-makers and 1,200 employees from the UK, US, Germany and Australia were polled to map the attitudes of businesses and employees relating to cyber security