Clearswift Survey: “Insider threat falls in UK and Germany post-GDPR, but US risk increases”

New research carried out by data security company Clearswift has shown that, year-on-year, cyber security incidents perpetrated by those from within an organisation, as a percentage of all incidents, have fallen in the UK and Germany, two countries currently now under the ruling of the European Union’s General Data Protection Regulation (GDPR). However, in the United States, a country that’s outside of direct jurisdiction in relation to the GDPR, such threats are on the rise.

The research* surveyed 400 senior IT decision-makers in organisations of more than 1,000 employees across the UK, Germany and the US. The data has revealed that when looking at the true insider threat, which takes into account inadvertent and malicious threats from the extended enterprise – ie employees, customers, suppliers and ex-employees – this number sits at 65% in the UK, down from 73% in 2017.

Similarly, senior IT decision-makers in Germany also saw a drop to 75%, down from 80% the previous year. US respondents actually saw a rise in the insider threat (which is up to 80% from 72% in 2017).

Direct threats from an employee within the business – either inadvertent or malicious – now make up 38% of incidents. This has halted the rising threat evident in 2017 and 2015 showing 42% and 39% respectively. Threats from ex-employees account for 13% of all cyber security incidents, highlighting a clear need for better processes when employees part ways.

“Although there’s a slight decrease in numbers in the EMEA region, the results once again highlight the insider threat as being the chief source of cyber security incidents,” said Dr Guy Bunker, senior vice-president of products at Clearswift. “Three quarters of incidents are still coming from within the business and its extended enterprise, which is far greater than the threat from external hackers. Businesses need to shift the focus inwards.”

Bunker continued: “I think at the very least what the GDPR has done is ensure firms have a better view of where critical data sits within their business and has highlighted to employees the fact that data security is now of critical importance, which may be why we’ve seen a drop in the insider threat across EU countries. If a firm understands where the critical information within the business is held and how it’s flowing in and out of the network, then it’s best placed to manage and protect it from the multitude of threat vectors we’re seeing today.”

Majority of incidents not deliberate

Although internal threats pose the biggest threat risk to most organisations, employers believe that the majority (62%) of incidents are accidental or inadvertent rather than deliberate in intent. This number is slightly down on 2017 (when the result was 65%).

The insider threat was slightly less for companies with over 3,000 employees (36%), as opposed to those with between 1,000 and 3,000 employees. This is a possible indication of more robust internal processes and checkpoints at larger businesses.

Bunker added: “Organisations need to have a process for tracking the flow of information in the business and have a clear view on who’s accessing it and when. Businesses also need to ensure that employees ‘buy-in’ to the idea that data security is now a critical issue for the business. Educating them on the value of data, on different forms of data, what is shareable and what’s not is crucial to a successful cyber security strategy. Having said that, mistakes can still happen and technology can act as both the first and last line of defence. In particular, adaptive data loss prevention solutions can automatically remove sensitive data and malicious content as it passes through a company network.”

*The research was conducted by technology research firm Vanson Bourne. Over 600 business decision-makers and 1,200 employees from the UK, US, Germany and Australia were polled to map the attitudes of businesses and employees relating to cyber security

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts