insider threats

(Source – Shutterstock)

APAC organizations still taking insider threats lightly

Insider threats continue to be a big problem for organizations around the world. However, there are concerns that most organizations are not viewing the problem as seriously as they should.

New research, commissioned by Imperva and conducted by Forrester, found that the majority (58%) of incidents that negatively impacted sensitive data in the last 12 months was caused by insider threats, and yet more than half (59%) of APAC organizations do not prioritize insider threats the way they prioritize external threats.

Despite numerous education, training, and workshops, employees have constantly been said to be the weakest link in cybersecurity for an organization. When it comes to insider threats, the study showed that organizations are failing to address the issue. This is deeply concerning especially with the rampant increase of cyberattacks caused by insider threats happening today.

In APAC, most of the respondents to the study blamed a lack of budget (41%) and internal expertise (38%) as well as other problems abound. A third (33%) of firms do not perceive insiders as a substantial threat, and 24% say their organizational indifference to insider threats is due to internal blockers such as a lack of executive sponsorship.

In fact, three-quarters (74%) of APAC organizations do not have an insider risk management strategy or policy, and 70% do not have a dedicated insider threat team. Put simply, employees could be the cause of a cyberattack or data breach and not be held accountable for it due to a lack of policy.

Are insider threats not serious enough?

Previous analysis by Imperva into the biggest data breaches of the last five years found one quarter (24%) of these were caused by human error (defined as the accidental or malicious use of credentials for fraud, theft, ransom, or data loss) or compromised credentials.

For George Lee, vice president for the Asia Pacific and Japan at Imperva, this approach is at odds with today’s threat landscape where the risk of malicious insiders has never been higher. Lee felt the rapid shift to remote working means many employees are now outside the typical security controls that organizations employ, making it harder to detect and prevent insider threats.

“Further, the great resignation is creating an environment where there is a higher risk of employees stealing data. This data could be stolen intentionally by people looking to help themselves in future employment, or it could be taken inadvertently when an employee leaves the organization,” commented Lee.

Lee also pointed out that APAC firms are prioritizing external threats over insider threats, despite the fact that insider events occur more often.

“Insider threats are hard to detect because internal users have legitimate access to critical systems, making them invisible to traditional security solutions like firewalls and intrusion detection systems. This lack of visibility is a significant risk to the security of an organization’s data. That is why leaders need to focus on the potential threats lurking within their own network,” added Lee.

As such, organizations looking to better protect against insider threats should take the following steps:

  • Gain stakeholder buy-in to invest in an insider risk program
  • Follow Zero Trust principles to address insider risk
  • Build a dedicated function to address insider risk
  • Create processes for your insider risk program and follow them
  • Implement a comprehensive data security strategy

For now, encryption (54%) and periodical manual monitoring/auditing of employee activity (44%) are the main strategies currently being used by APAC organizations to protect against insider threats and unauthorized usage of credentials. Some organizations are also training employees to ensure they comply with data protection/data loss prevention policies (57%).

However, no matter how much training is provided to employees, breaches and other data security incidents are still occurring and more than half (55%) of respondents said that end users have devised ways to circumvent their data protection policies.