Netwrix 2018 IT Risks Report: Insiders Cause More than 50% of Data Breaches
We recently released the third annual Netwrix IT Risks Report. It summarizes our in-depth study of six major IT risks: physical damage, intellectual property theft, data loss, data breach, system disruption and compliance penalties.
We asked 1,558 organizations of various sizes, regions and verticals to evaluate their threat landscape and share what they do to minimize these six risks.
Some of the findings were quite surprising and a few were even disturbing. Here are three major takeaways.
Takeaway #1. Reality rarely matches expectations.
Perhaps the most significant finding of the survey is a vivid discrepancy between organizations’ expectations and reality. Organizations think they are targeted primarily by hackers, but real-life incidents show that insiders are much more dangerous.
For instance, organizations list hackers as the top threat to their hardware assets, but most physical damage is actually the result of mistakes, negligence or bad luck — you’re more likely to suffer physical damage from a business user spilling coffee on a computer than from an attack by a hacker.
The same goes for data breaches. Half of the breaches organizations experienced were due to errors by regular business users, which is far from the perception that hackers cause most data breaches. Mistakes by IT team members and mid-level managers also pose a substantial threat to data and systems, whether through malicious actions or mistakes; after all, forgetting to update a key system or accidentally misconfiguring a server can have far-reaching consequences.
We also found the expectation vs. reality mismatch in regard to visibility into the IT environment. Over 60% of organizations think that their level of visibility into user activity is high enough. Unfortunately, this is a false sense of security: Almost half of respondents (44%) either do not know or are unsure how their employees are interacting with sensitive files, which means that they have very little control over what’s going on in their IT environment and will not be able to detect unauthorized activity until it causes real damage.
Takeaway #2. Human errors lead to more incidents than malicious actions.
Most security incidents associated with insider activity happen due to human mistakes rather than malicious intent. Simple mistakes by regular business users, IT team members and mid-level managers is the leading scenario for three of the six risks: intellectual property theft (22%), data breaches (29%) and data loss (50%). Plus, human errors are second only to power outages as the cause of system disruptions.
Security incidents happen mostly because people forget to lock their computers, fall for phishing emails, or download sensitive data to a flash drive so they can work from home on the weekend. Underlying reasons include poor corporate policies, low security culture and the fact that most organizations have little to no visibility into user activity. As a result, they are unable to spot behaviour that violates security policies and miss the chance to teach their staff proper workflows in order to avoid incidents in the future.
Takeaway #3. Security basics are still neglected.
Many organizations fail to follow the simple and relatively cheap security best practices recommended by industry professionals. By ignoring them, organizations do themselves a disservice, as they remain in the dark regarding vulnerabilities and critical cyber threats.
In particular, most organizations regularly practice only a few security controls, such as patching software and updating user passwords. They rarely or never get rid of stale and unnecessary data or bother to classify the data they store. As a result, they leave their environment vulnerable to many security threats. Organizations also fail to control shadow IT — they still do not consider it important to review the software that employees use.
Moreover, we were unpleasantly surprised that only 17% of organizations have an actionable incident response plan. The rest either have a draft of a plan, have a plan but do not communicate it well, or have no plan at all, which means that they cannot respond promptly when a security incident occurs and minimize the damage.
Our report revealed that most organizations focus on defending their data and IT environment from outside threats and often leave internal threat actors, such as regular users, privileged employees and IT staff, out of scope. It’s said that nothing is certain except death and taxes, but IT pros should add one thing to that list: that everyone can make mistakes.
Even if a staff member has no malicious intent, their negligence or inattention can lead to a severe incident. Therefore, to combat IT risks effectively, you need to make security best practices the basis of your security strategy and ensure you have full control over what is happening across your environment.