Understanding Europe’s insider threats
35% of employees across the UK, France, Germany and Italy admit to have been involved in a security breach, presenting regional CISOs with a significant challenge when it comes to protecting company data, particularly in light of the forthcoming European GDPR will come into effect in early 2018.
The new legislation will not only make it a requirement to notify of a breach within 72-hours, but also levy strict new penalties of up to 4% of worldwide annual turnover for serious failings.
Worrying levels of risky behaviour
The findings are the result of both intentional and accidental employee activity, with malicious intent, staff negligence, limited security awareness and ineffective corporate policies all emerging as reasons for security breaches. In particular the research, conducted by Atomik Research, reveals worrying levels of risky behaviour from employees within enterprises:
- 14% of employees would jeopardise their job by selling work log-ins to an outsider, and 40% of those would do so for less than £200 – 55% of surveyed employees in the UK would part with credentials for that amount.
- Just under a third (29%) of survey respondents have purposefully sent unauthorised information to a third party, while 15% of European staff have taken business critical information with them from one job to another. 59% planned to use it in their next job.
Severe lack of employee awareness
The results also show a severe lack of employee awareness of how their behaviour increases the data security risks facing an organisation:
- Nearly half (43%) of European employees do not believe their organisation is currently vulnerable to a security threat caused by insiders, while 32% are either unaware of or are unsure about the consequences of a data breach.
- Nearly a quarter (22%) either do not believe data breaches incur a cost to their employers, or are unsure; with France and the UK representing the nations with the lowest levels of awareness of these costs and consequences.
- 39% of European employees report to have received no data protection training and over a quarter (27%) of organisations either lack security policies to prevent data loss or fail to enforce them.
Percentage of European employees that have accidentally or deliberately sent information to third parties
Trends across Europe
The survey also uncovers some interesting trends across Europe:
- Italian respondents (45%) are most likely to be involved in a security breach, compared to just 27% of UK respondents.
- French workers (36%) are most likely to feel that their organisation is vulnerable to security threats from hijacked systems, rogue insiders, stolen credentials or negligent end users, more than those in Italy (33%) and the UK (22%), and more than twice as likely as German employees (15%)
- The cloud represents an area of significant uncertainty when it comes to security. In the UK, 55% aren’t sure if their data is more or less secure in the cloud and 38% do not consider security before uploading files. France was not far behind at 52% and 33% respectively, with lower but consistently significant statistics generated in Italy (33% and 17% respectively) and Germany (33% and 21% respectively)
- The need for data protection training is widespread. Nearly half (47%) of French employees have never received training, with the figure at 41% in the UK, 37% in Germany and 31% in Italy.
“If you read between the lines of the findings, something very compelling stands out — most organizations still have little to no visibility when it comes to understanding what their employees are doing online. The fact that a significant percentage of workers are willing to sell their credentials leads to the conclusion that they have no confidence in their companies’ abilities to spot malicious behaviors. When you consider that the vast majority of all data breaches are caused by some form of insider, it is amazing that enterprises haven’t solved the problem of gaining insight into what is happening on their endpoints, in the clouds and on corporate networks, Christy Wyatt, CEO of Dtex Systems, told Help Net Security.