Data breaches regularly generate news headlines, reinforcing the popular image of foreign hackers piercing the defenses of companies and organizations to steal valuable information. In reality, most data thefts are far more mundane: Rather than being a continent away, the thieves are likely to be in a cubicle down the hall, according to a new report.
Companies that have been hacked in the last 18 months say half these incidents were an inside job, according to the 2019 Global Data Exposure Report, a survey by data protection firm Code42 of 1,600 information security leaders and business decision makers.
"Although many companies have traditional prevention tools in place," said the authors of the report, "data loss, leak and theft — particularly from insiders — continue to happen at an alarming pace."
Despite this alarming trend, companies are ill-prepared for insider cybersecurity threats. The Q4 CNBC Executive Technology Survey released Tuesday revealed that most tech executives think state-sponsored cyber warfare and individual hackers are the most dangerous threats to their organization. Only 16% said rogue employees were a threat, compared to 36% for state-sponsored cyber warfare and 36% for individual hackers.
The CNBC Technology Executive Council survey released Tuesday was conducted from Dec. 2–11, 2019, among 51 of the 157 members of the Council, who serve in senior technology positions at large companies, as well as at government and nonprofit organizations.
A major contributor to the surge in data breaches by insiders is the shift in workplace retention rates — employees today change jobs often and are less loyal — coupled with the fact that companies have not adjusted their data protection protocols to this new reality, said the report.
"Chances are, people in your organization are job hunting. In 2018, 40 million employees in the U.S. quit their jobs, and the number continues to rise," said the report. "Unlike past generations of American workers who stayed at jobs for decades, today half of the labor force is looking for a new job."
In addition, said Joe Payne, CEO of Code42, a convergence of technologies has made insider theft easier. "Data is more portable than before. Things like customer lists, designs and payroll data used to be on paper." Now they are digital and easily transferrable. In addition, collaboration software, like Slack and OneDrive, make it easier to move large files.
Data loss can be both deliberate — disgruntled or departing employees — or unintentional, through use of unauthorized and vulnerable applications. "Rather than sticking to company-provided file-sharing and collaboration tools, 1 in 3 (31%) business decision-makers also use social media platforms, such as Twitter, Facebook or LinkedIn; 37% use WhatsApp; and 43% use personal email to send files and collaborate with their colleagues," said the Code42 report.
Unhappy employees who want to do harm can create a "back door" to access valuable company data after they leave, said Tom Kellermann, chief cybersecurity officer at Carbon Black, a digital security start-up acquired by VMWare earlier this year for $2.1 billon. "These insiders typically have knowledge and access they shouldn't have."
Companies need to be more in tune with today's job-hopping generation, said Payne. In the Code42 survey, 63% of respondents admitted they had taken company data with them when they left a job. According to Payne, most organizations have a process for getting your badge and your laptop back when you leave a company, yet "no company has a process for reviewing the data you take with you." As awareness grows of the insider threat, he expects organizations to better guard the exits.
Kellermann agreed that companies have been slow to roll out technologies that can cut down on such thefts. He said endpoint detection response tools can spot unusual activity on desktops and servers and also recommended that companies perform daily "cyberthreat hunting," which he describes as equivalent to checking all the bedrooms and door locks for intruders.
"There are far too many individuals out there that have all the keys to the castle," said Kellermann.
Another useful technology against unauthorized internal access to corporate data is "zero trust," an approach that assumes every data request is suspect. It examines who is asking for the information, what rights they have and for how long.
"To be effective, you have to deploy just-in-time administration," said Kellermann. An employee may be given access to certain data just for a limited period or only from a particular location, for example.
Cybersecurity firms have touted the use of artificial intelligence to help detect intrusions. Kellermann said AI can help, but the thieves also have access to the technology. He cited a case where hackers accessed a company's mail server and used AI to identify the most powerful executives. They then sent mail to customers using those email accounts. The act reflects a rising trend of using a company's infrastructure to attack its customers and damage an organization's reputation.
"Cybersecurity shouldn't be viewed as an IT problem," said Kellermann. "It's a brand protection problem."
Alissa Abdullah, senior vice president of cybersecurity technology for Mastercard, said the internal threat "is a combination of people and technology." Adversaries are experts at "pulling at the heartstrings of people." An employee clicking support or opening a request for charitable contributions can open the door to an intruder. And it's not just lower-level employees. In the Code42 survey, "over three-quarters (78%) of CSOs (chief security officers) and 65% of CEOs admit to clicking on a link they should not have, showing that no level of employee is immune to lapses in judgment."
Abdullah said the best long-term way to combat internal threats is to create a corporate culture that values security. Her team is constantly reminding Mastercard employees about the importance of protecting customer data. She invites speakers to lecture employees and offers an "escape room" exercise where employees can't leave until they correctly answer a series of data security questions. She also cited the importance of "data tagging," which tells where every piece of data originated and who has access to it.
"People think that because data is on their cellphone, it's theirs," she said.
For more on tech, transformation and the future of work, join CNBC at the @Work Summit in New York on April 1–2, 2020.