Insider Risk Is A Cultural Issue, Not Just A Cybersecurity One: Code42 Report


Code42 Software, the Insider Risk Management (IRM) company, has released its Annual Data Exposure Report (DER) for 2023. The study, conducted by independent enterprise technology market research experts Vanson Bourne, found that Insider Risk is emerging as one of the most challenging threats to detect, mitigate and manage. Although more than 70% of companies indicate they have an IRM program in place, the same companies experienced a year on year increase in data loss incidents of 32%, and 71% expect data loss from insider events to increase in the next 12 months.

With insider incidents costing organizations $16M per incident on average, and CISOs stating that Insider Risks are the most challenging type of threat to detect, the report is a clear call to action for the security industry to ‘do better’ and help professionals solve this challenge.

When compared with data from our last report, the impact of Insider Risk is being felt across an organization and is no longer limited to the cybersecurity team. 86% of respondents say an insider event would impact company culture, compared with 72% from the year prior. Similarly, impacts around employee acquisition/retention increased from 72% to 79%. This indicates that Insider Risk is an issue that is deeply intertwined with a company’s culture and has a significant impact on the business.

The study also found:
● Respondents say there would be a major or moderate impact to revenue (88%) and reputation (88%) following an Insider Risk event.
● When asked about the types of Insider Risk they’re most concerned about, respondents rank accidental as number one, followed by malicious and negligent.
● Respondents concerned with accidental events increased year over year while those concerned with negligent events decreased.

Insider Risk is a top concern for CISOs
CISOs are hyper aware of the growing challenges associated with managing Insider Risk, with over four in five (82%) CISOs indicating that data loss from insiders is a problem for their company. With 76% of CISOs anticipating data loss from insider events to increase at their company in the next 12 months, many are re-evaluating the current approaches, technologies and processes they have in place.

The study found:
● 79% of CISOs feel they could lose their job from an unaddressed insider breach due to the impact it would have on corporate culture, reputation and financial standings.
● CISOs ranked Insider Risk (27%) as the most difficult type of threat to detect at their company, placing it above cloud data exposures (26%) and malware/ransomware (22%).
● Around four out of five (79%) CISOs do not feel the leadership team (board, C-suite) places enough attention on data loss from insiders.

Effectively managing Insider Risk requires the right technology and budget
While it’s promising to see that more than 70% of companies have an IRM program in place, 85% of companies note they still face technology/visibility challenges when it comes to protecting against exploitation by insiders, suggesting that the programs in place are immature and ineffective.

The study also found:
● Only 19% of companies’ global cybersecurity budget is dedicated to detecting, investigating, responding and mitigating Insider Risk despite it being the hardest threat to detect.
● Current IRM budgets are likely insufficient as 69% indicate that their budget for Insider Risk Management will increase over the next year.
● Companies are leveraging too many technologies to protect and manage Insider Risk – with the majority using some combination of IRM (97%), User and entity behavior analytics (UEBA) / User Activity Monitoring (UAM) (97%), Enterprise Data Loss Prevention (DLP) (97%), Security awareness training/education (96%) and Cloud Access Security Broker (CASB) (96%).

As the need for data security training increases, the quality of trainings matters just as much as the frequency of trainings
The frequency of cybersecurity training has increased over time with 30% of companies now conducting training weekly compared with 22% in our last report. However, the data indicates that frequency alone is not effective in building resilience to Insider Risk. The quality of training is equally important and organizations must find a way to balance the two.

The study found:
● The majority (93%) of CISOs agree that the new hybrid-remote workforce has increased the need for data security training in their company.
● Those organizations conducting training weekly are more likely to say a complete overhaul is needed than those conducting it monthly (22% vs. 10% respectively).
● The companies conducting monthly security training dropped from 32% to 27% year over year, with data indicating that more organizations are providing weekly training.