The recent massive data breaches at Sony, Target, Home Depot and other major brands appear to have convinced many IT executives that external attackers pose a bigger threat to enterprise data than insiders with privileged access to corporate networks and systems. However, a new survey by identity and access management vendor SailPoint suggests it may be premature to diminish the risk posed by insiders just yet.
Survey Shows Risky Behavior
The report by independent research firm Vanson Bourne to study employee attitudes toward corporate data and found that cloud applications have actually increased risky behavior by employees at many companies.
The research firm polled about 1,000 office workers at medium-sized companies in the United States, United Kingdom, France and three other countries for the survey. About 20 percent of the respondents said they had uploaded corporate data to cloud applications such as Dropbox and Google Docs without corporate’s blessing for the purpose of using and sharing the data outside of work.
Some 25 percent of U.S. respondents said they had purchased and were using applications such as Concur, Workday, Dropbox and DocuSign at work without any IT help or knowledge. A stunning 69 percent said they would be able to access corporate data stored in the cloud even after they left their company, while more than 1 in 4 admitted to taking corporate data with them when they left a company.
The survey showed that employees engaged in such behavior despite being clearly aware of corporate policies pertaining to data usage and protection. For example, though more than 60 percent of respondents said they were aware that their employer strictly forbade them from taking intellectual property when leaving the company, 25 percent did so anyway.
The insider threat issue is certainly not new. Security experts have long cautioned about the threat posed to corporate data from employees, partners, suppliers and others with privileged access to business systems. Organizations such as the U.S. Computer Emergency Response Team describe an insider threat as a situation where a current or former employee, contractor or anyone with authorized access to an organization’s network intentionally misuses that access to compromise the confidentiality or integrity of corporate data or computer systems.
However, in addition to intentional sabotage and damage, insiders can also compromise data security and privacy through careless or negligent actions — often through accidental misuse of corporate data.
Cloud Apps Heighten Risk
The SailPoint report does not distinguish between the two threats. Instead, it shows that the growing tendency among employees to purchase and use consumer cloud apps for storing and sharing corporate data without involving IT departments has caused new risks for enterprises.
“The survey results are an eye-opener of how cloud applications have made it easy for employees to take information with them when they leave a company,” said Kevin Cunningham, founder and president of SailPoint, in a prepared statement accompanying the report.
Another recent report by the Ponemon Institute showed that a lack of control over who has access to confidential and sensitive information often exacerbates the insider threat problem. The survey of over 2,200 employees in both U.S. and European organizations found that many employees who work in areas such as sales, financing and accounting often have too much access to intellectual property, customer lists, contact information and other valuable corporate data.
More than 70 percent of those polled said they had access to corporate data to which they should not have access. About 55 percent described that access as “frequent” and “very frequent.” Unsurprisingly, respondents in the survey believed that IT security controls and data oversight at their organizations were weak, with 4 in 5 IT practitioners concurring and admitting their organizations did not enforce a strict least-privilege data security model.