Cybersecurity budgets have exploded exponentially over the past five years with many analysts predicting that worldwide spending will exceed $1 trillion by 2025.
A quick look at the headlines shows that cybersecurity professionals are losing the war. Every month, several major brands and organizations—household names like the CIA, Twitter and Hershey—are forced to announce they have been the victim of a data breach. Millions of our organization strategy documents, customer lists, account credentials and product designs as well as personally identifiable information (PII) are exposed every year.
Is this what $1 trillion gets you these days? Maybe, maybe not.
The problem isn’t the amount of money being spent on cybersecurity. It’s how budgets are allocated. According to our 2019 Data Exposure Report, two-thirds of breaches are inside jobs. Yet, insider threat programs account for less than 10% of the budget. It’s clear that enterprise cybersecurity efforts are not being prioritized properly.
No one suspects their own family
Why does this misappropriation of cybersecurity funds exist? I haven’t seen a definitive study or survey, but I have a couple of guesses. No one wants to believe that people they know are stealing from them. It’s human nature to trust the people around us and stigmatize strangers. It’s our tribal ancestry coming through in our 21st century world.
Before Covid, we passed Katie from accounting in the hallway. We ate lunch with the sales team in the cafeteria. We were on a bowling team with Janet the developer every Tuesday night. It can seem inconceivable that insiders are your organization’s greatest threat to security. It’s much easier to blame insidious hackers in the shadows trying to worm their way into your network to steal your intellectual property.
It’s getting easier to steal information from the inside
Insider threats are successful because they are relatively easy to pull off. It takes just a few seconds to download a list of customers that you cultivated or to drag that kick-ass marketing plan you worked so hard on to a thumb drive as you head off to greener pastures. More egregious but just as easy is the process to download product development plans to a personal Dropbox account and offer them to a competitor.
Insider threats are getting harder to detect and stop in the age of Covid. Workforces are largely remote, people oftentimes are off the corporate network and away from prying eyes. When the shelter-in-place orders went into effect across the country, enterprises had to figure out how to ensure application access to a remote workforce. Often, because of time and convenience, access was extended and thinking about how it would impact risk was put on the backburner.
As a result, finance employees using their lightly secured home networks were suddenly accessing sensitive information that was never meant to leave the data center. Developers were pushing code to production from their home office. And the marketing department was sharing devices with their school-aged children participating in remote learning.
Protect the business but preserve the culture
Despite the obvious need for more robust insider threat programs, security controls cannot come at the expense of the collaboration culture. Employees still require access to the tools and information they need to do their job, but enterprises can provide access in a safe, practical manner. Instead of thinking how best to block content, security teams should consider taking a more trusted approach by monitoring for abnormal file movements. Notifications can be set that trigger a warning if a customer database is downloaded to an unsanctioned app, like a Dropbox account, or if an employee was found to have changed the file extension on some “family” photos he emailed to his personal account in the weeks before he submitted his resignation letter. This is a more pragmatic and efficient way to harden a company’s insider threat program while mitigating risk.
Managing insider threats should not disrupt the business of getting things done. But it’s clear that enterprises need to invest more in their insider threat efforts. Enterprises need to implement an insider threat program that monitors for abnormal file movements and sets off automatic triggers to inform the security team. Until resources are more aligned to threats, headlines about major brands will continue to dominate the newsstand.