“GDPR is the new Y2K” was a phrase I heard multiple times during the first 12 months since its implementation. As the ICO continued to work through historical breaches under the Data Protection Act, there was certainly a sense that GDPR was all bark and no bite. Then its first anniversary was quickly followed by the ICO issuing intentions to fine British Airways an incredible £183.39m and Marriot nearly £100m. With this move, the ICO reminded CISOs and their boards that they are indeed operating in a new era of data protection and compliance, and GDPR moved back up the agenda once more.
Yet despite this, we don’t go a day without a new breach hitting the headlines – and the impacts are only getting more significant. The latest ‘Cost of a Data Breach’ report from Ponemon and IBM shows the average cost has increased 1.5 per cent to $3.92m.
Stemming this tide is the problem all CISOs are working to solve – but if measures to date have had limited impact, where should they look next to achieve this? A clear understanding of why data breaches are happening is the logical place to start, however when employees are involved, this is never a straightforward issue.
Understanding the ‘why’ around data breaches
Much analysis has been carried out into the types and frequency of data breaches, but there has been little focus on why they are happening. When considering cyberattacks and malicious data breaches, we can quickly attribute motivations to factors such as financial gain (including ransom), political affiliations, competition and sabotage, or emotions (for example, anger). To most people, the link between these motivations and subsequent actions make sense, much in the same way that physical theft might do.
When we consider non-malicious insider data breaches caused by staff, the problem becomes layered with complexity that’s difficult to untangle and resolve. Yet only when we understand more clearly the why behind these breaches, can we reduce their likelihood and impact.
At Egress, we looked into this topic with independent research company Opinion Matters. Our survey of over 500 CIOs and IT leaders in the US and UK found that nearly all of them (95 per cent) are concerned by insider threat and most believe employees have put data at risk in the last 12 months either accidentally (79 per cent) or maliciously (61 per cent).
We also surveyed over 4,000 employees and found that they paint a very different picture: 92 per cent said they have not accidentally leaked data in the last year, while 91 per cent said they had not intentionally leaked data.
Such a contrast clearly demonstrates that to some degree, employees are either unwilling to admit to causing data breaches or unaware that they have caused one.
The issue of unknowingly causing data breaches is a nuanced discussion. It’s not simply a case of, say, never becoming aware that they’ve emailed sensitive data to the wrong person; it also includes whether employees feel like they have a right to the data in the first place, and therefore by removing it from a secure environment, they don’t realise that they’ve caused a breach – for example, exfiltrating customer lists when moving onto a new company.
Our research found that almost one-in-three employees (29 per cent) believe they have ownership over the data they have worked on for a company and that 60 per cent don’t believe the organisation has exclusive ownership over the data. Interestingly, those aged 16 – 24 were actually less likely to think the organisation has exclusive ownership (33 per cent), while those aged over 65 were more likely to think so (51 per cent).
The problem of ethics and ownership
Awareness and education are a favourite starting point for tackling non-malicious insider breaches. A solid foundation of cybersecurity awareness does help to reduce negligent or inadvertent instances by championing good practices. Employees can also be challenged and re-educated on the subject of data ownership, for example explaining what needs to remain with the organisation when they leave. These educational measures should also be highly targeted to the current workforce age ranges within individual organisations. In a time where digital natives, such as millennials and Generation Z, have grown up with prevalent sharing on social media and a sense of ownership around what they produce, this problem is likely to be exacerbated in these employees.
Yet education alone won’t turn the tide of data breaches, as it can’t prevent reckless behaviour or be able to stop all inadvertent breaches – after all, people are always going to make mistakes!
How technology can reduce breaches
When respondents who acknowledged to causing a data breach were asked how this happened, our research found that accidental leaks were caused by: rushing and making mistakes (48 per cent), working in a high-pressure environment (30 per cent), and tiredness (29 per cent). Two of the top causes of intentional breaches were not having the tools required to share data securely (55 per cent) and taking data to a new job (23 per cent).
This insight helps us to understand the role technology needs to play in preventing data breaches. Advances in machine learning and graph data base technologies have made it possible to identify when people are about to accidentally or intentionally leak data – warning users and administrators in real-time that a breach is occurring, and even preventing the release of certain data altogether.
The use of this technology can not only reduce the likelihood of a data breach but also significantly reduce the impacts should a breach occur. The ‘Cost of a Data Breach’ study shows that use of security technologies such as encryption and DLP were associated with lower-than-average data breach costs. In particular, encryption had the greatest impact, lowering the cost by $360,000 on average. What’s more, security automation that leveraged technologies like machine learning and analytics on average reduced the cost of a data breach by an impressive $2.5m.
Not another Y2K
For those of us operating in cybersecurity on a daily basis, it’s impossible to be ignorant of GDPR and its impacts. This awareness inevitably dilutes the further we get from CISOs and their Security Teams, but GDPR doesn’t make this distinction: good data protection practices are non-negotiable.
As research has shown, there’s no one silver bullet to turning the tide of data breaches, particularly those caused by employees and the complexities they bring to this problem. But GDPR has emphatically proven it is not another Y2K – and CISOs need to keep educating and equipping employees to prevent non-compliance. To do this, CISOs need to address the motivations and problems staff have when sharing data – and when they don’t have confidence that people will make the right decisions, they need to look to the latest technologies to do this on their behalf.
Tony Pepper, CEO and Co-Founder, Egress