December 17, 2014 By Jaikumar Vijayan 3 min read

The recent massive data breaches at Sony, Target, Home Depot and other major brands appear to have convinced many IT executives that external attackers pose a bigger threat to enterprise data than insiders with privileged access to corporate networks and systems. However, a new survey by identity and access management vendor SailPoint suggests it may be premature to diminish the risk posed by insiders just yet.

Survey Shows Risky Behavior

The report by independent research firm Vanson Bourne to study employee attitudes toward corporate data and found that cloud applications have actually increased risky behavior by employees at many companies.

The research firm polled about 1,000 office workers at medium-sized companies in the United States, United Kingdom, France and three other countries for the survey. About 20 percent of the respondents said they had uploaded corporate data to cloud applications such as Dropbox and Google Docs without corporate’s blessing for the purpose of using and sharing the data outside of work.

Some 25 percent of U.S. respondents said they had purchased and were using applications such as Concur, Workday, Dropbox and DocuSign at work without any IT help or knowledge. A stunning 69 percent said they would be able to access corporate data stored in the cloud even after they left their company, while more than 1 in 4 admitted to taking corporate data with them when they left a company.

Security Awareness

The survey showed that employees engaged in such behavior despite being clearly aware of corporate policies pertaining to data usage and protection. For example, though more than 60 percent of respondents said they were aware that their employer strictly forbade them from taking intellectual property when leaving the company, 25 percent did so anyway.

The insider threat issue is certainly not new. Security experts have long cautioned about the threat posed to corporate data from employees, partners, suppliers and others with privileged access to business systems. Organizations such as the U.S. Computer Emergency Response Team describe an insider threat as a situation where a current or former employee, contractor or anyone with authorized access to an organization’s network intentionally misuses that access to compromise the confidentiality or integrity of corporate data or computer systems.

However, in addition to intentional sabotage and damage, insiders can also compromise data security and privacy through careless or negligent actions — often through accidental misuse of corporate data.

Cloud Apps Heighten Risk

The SailPoint report does not distinguish between the two threats. Instead, it shows that the growing tendency among employees to purchase and use consumer cloud apps for storing and sharing corporate data without involving IT departments has caused new risks for enterprises.

“The survey results are an eye-opener of how cloud applications have made it easy for employees to take information with them when they leave a company,” said Kevin Cunningham, founder and president of SailPoint, in a prepared statement accompanying the report.

Another recent report by the Ponemon Institute showed that a lack of control over who has access to confidential and sensitive information often exacerbates the insider threat problem. The survey of over 2,200 employees in both U.S. and European organizations found that many employees who work in areas such as sales, financing and accounting often have too much access to intellectual property, customer lists, contact information and other valuable corporate data.

More than 70 percent of those polled said they had access to corporate data to which they should not have access. About 55 percent described that access as “frequent” and “very frequent.” Unsurprisingly, respondents in the survey believed that IT security controls and data oversight at their organizations were weak, with 4 in 5 IT practitioners concurring and admitting their organizations did not enforce a strict least-privilege data security model.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today