There is a great infographic put out by the good folks at Deloitte on the topic of insider threats. They’ve done a wonderful job packing a great deal of information into an easy to understand presentation.
I was struck by the stats at the top of the infographic:
- 97% of insider threat cases studied by Stanford University involved an employee whose behavior a supervisor had flagged, but that the organization failed to follow up on.
A lot to unpack here. The overwhelming majority of cases studied were, in hindsight, not a surprise. The behavioral warning signs were there.
- 92% of insider threat cases were preceded by a negative work place event, such as a termination, demotion, or dispute with a supervisor.
I’ve written and talked about the need for Infosec to partner with HR to make sure that the organization is taking appropriate steps to defend itself. This can be done without violating employee privacy, and it needs to start happening. HR has insight that security needs. Fail to collaborate at your own risk.
- 59% of employees who leave an organization voluntarily or involuntarily say that take sensitive data with them.
- 90% of IT employees indicate that if they lost their jobs, they’d take sensitive company data with them.
We’ve surveyed on this same topic on the past, as have others. A couple of years ago, the overall number was lower – right at 50%. While it could be the survey methodology, I am intrigued that we may actually be seeing an increase in IP walking out the door at the end of the employee lifecycle. I’m shocked by the higher number for IT. This issue is relevant to every organization, regardless of vertical or size. I’m speaking on this topic – and how you can address the problem – at Secure360 Twin Cities on May 18. Get there if you can. I hear it’s lovely this time of year.
The bad news is that we have problems. The call is coming from inside the house. The good news is there are ways to address the problems. We’ll delve into those in our next post.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.