In the past few years, rapid growth in the volume of sensitive information combined with new technologies has chipped away at the effectiveness of traditional endpoint protections and network perimeter security. As a result, a full 93% of US organizations believe they are vulnerable to insider threats.
According to Vormetric’s 2015 Insider Threat Report, conducted in tandem with Ovum, organizations increasingly have warranted concerns about the number and types of employees who have access to sensitive data. More than half (59%) of US respondents believe privileged users pose the most threat to their organization. And, 55% of global respondents believe this. And while 46% of US respondents believe partners with internal access pose the second-highest threat, global results point the finger at contractors and service providers.
And while Edward Snowden may be viewed as the “insider threat” poster child, not all employees have malicious intentions. Simply by having access, privileged insiders may unwittingly put data at risk—or be used by an outside actor as a conduit for siphoning data.
Meanwhile, 46% of US respondents believe cloud environments are at the greatest risk for loss of sensitive data in their organization, while 47% believe databases have the greatest amount of sensitive data at risk.
“Vormetric’s 2015 Insider Threat report indicates nearly all of U.S. organizations polled perceive a security vacuum and feel quite threatened,” said Andrew Kellett, lead analyst for Ovum, in a statement. “As much as we may have hoped to believe it, the Edward Snowden affair was not our data security pinnacle. According to the report, almost half (44%) of the US organizations polled experienced a data breach or failed a compliance audit in the past year—which tells us the situation has probably gotten more complicated.”
In 2014, the U.S. saw some of the worst data breaches in recent memory with household names like Sony, Home Depot, J.P. Morgan Chase and Supervalu experiencing massive financial and reputational blows due to cyberattacks. According to the Identity Theft Resource Center, more than 700 data breaches occurred in 2014 alone, up from 614 in 2013. Incidents also hit a milestone of 5,029 reported data breach incidents, involving more than 675 million estimated records.
“As the past year demonstrates, these threats are real and need to be addressed,” said Alan Kessler, CEO for Vormetric. “Organizations wishing to protect themselves must do more than take a data-centric approach; they must take a data-first approach.”
The data breach tsunami has prompted associated legal ramifications and public soul-searching by senior management and board-level executives at compromised businesses about where to place the blame.
And, it’s raised awareness elsewhere: Preventing a data breach is the highest or second-highest priority for IT security spending for 54% of respondents’ organizations. And, 34% of U.S. respondents say their organizations are protecting sensitive data because of a breach at a partner or a competitor
Further, 92% of organizations said that they plan to maintain or increase their security spending in the coming year.
“Although we are heartened [by that], our larger concern is about how they plan to spend that money,” Kessler said. “The results indicate there is still disagreement about where corporate data which is most at risk actually resides. Our experience, observations and conversations with customers have taught us that even if the situation isn’t entirely black and white, organizations’ use of encryption, access controls and data access monitoring greatly reduce their risk and exposure.”