Proofpoint recently partnered with the Economist Intelligence Unit to survey more than 300 corporate executives, including CIOs, CISOs and other IT executives, as well as finance and line-of-business leaders. Their goal was to learn more about the frequency and severity of people-centric threats. The resulting briefing paper details the causes of these common threats, and the steps that companies across North America, Europe and the Asia/Pacific region are taking to address them.
It should be noted that this research was conducted in a pre-covid world. But despite the massive disruption in our lives – both personal and work – over these last several weeks, in many ways the massive shift to work-from-home models has just accelerated the trends that have been enabled by the forces of digital transformation over the past several years. There is much to be learned from this cyber insecurity report, and we encourage all businesses to give it a thorough read. Below, we’ll share some of our key takeaways.
What are People-Centric Security Threats?
There are many types of cybersecurity threats that can arise in the modern business. Some are a result of technological mistakes or oversights, such as a poorly secured codebase or a mistake in database security configurations. People-centric security threats are of growing concern as the world becomes more connected, more distributed, and more reliant on software applications to accomplish every business function.
Understanding the nature of people-centric threats is fundamental to building a technology-enabled cybersecurity strategy. Some individuals take advantage of access for malicious reasons to steal or otherwise misuse confidential or sensitive company information. But even more frequently, people-centric threats arise from accidental behaviors or as a result of being compromised by an outside actor. From phishing attacks to lost devices to unsecured networks to stolen credentials, a weak link in your human security chain can cause real – and really expensive problems.
The cyber insecurity report provides survey details on the most common targets of data breaches. In addition to office-based employees, respondents named customers, contractors, remote employees and suppliers as common targets of data breach attacks.
Moreover, as the cyber insecurity report puts it, people-centric security threats pose a “delicate problem,” because businesses must always strike a balance between trusting and empowering their employees while also ensuring there are guardrails in place to stop insider threats from causing data breaches and other security incidents.
People-Centric Data Breaches are Common and Costly
The cyber insecurity report demonstrates that the headlines we see so frequently about massive data breaches are just the tip of the iceberg. The majority of survey respondents shared that their organizations had experienced at least one data breach over the last three years, and more than half (60%) said they’d experienced at least four breaches. The bigger the company, the more likely they were to have experienced a breach.
As far as the consequences of these breaches go, businesses surveyed said they experienced disruptions that included:
- Revenue losses
- Client losses
- Staff terminations
Moreover, these businesses are realistic about how much more common these breaches are likely to become over the coming years, as well. Almost half admitted they feel it’s “very or extremely likely” they will face a major data breach within the next three years. Furthermore, those who have experienced them in the past were more likely to believe they would experience another, indicating that they are fully aware lightning “can and will” strike multiple times in one place.
People Are More Likely to be the Root Cause than Tech
As the cyber insecurity report explains, the majority of cybersecurity breaches result from people-centric risks, not failures of technology or process. These risks include phishing, ransomware, business email compromise, write transfer fraud, and more. System misconfigurations and accidental data exposure do happen, but the majority of actual threats have a human cause at the root.
This is not to say that technology and processes can’t be used to shore up the human perimeter. In fact, it has never been more important to invest in a technology enabled security program that takes a holistic and people-centered approach.
Taking People-Centric Security Seriously
The best news to come out of this cyber insecurity report is that CISOs and other security leaders at top companies like Atlassian recognize the importance of investing in people centric technology solutions spanning email security, web isolation, zero-trust network access, and endpoint-based behavior solutions like Insider Threat Management. It has become a major topic of conversation in the C-Suite and at board meetings, with 96% of companies surveyed saying these important stakeholders “strongly support” efforts to control cybersecurity risks, including people-centric ones.
It’s only with the support of these key players that companies can begin to develop and deploy effective people-centric strategies that will help reduce their risk of data loss in the modern, connected world. While the prevalence and cost of these threats is high and growing, the seriousness with which they are treated is a sign that collectively we are headed in the right direction.
Considering a People-Centric Approach to Insider Threats
Mike McKee, Proofpoint EVP and GM for Insider Threat Management, wrote in a recent blog on the limitations of traditional perimeter-based cybersecurity strategies – particularly when protecting from insider threats, “A key challenge to securing the people perimeter is that people cannot be accurately described by just looking at their activity logs. Understanding people requires understanding intent. Understanding intent means understanding context.” Proofpoint’s Insider Threat Management solution by ObserveIT, leverages the power of context to help security teams better identify risky users and better protect intellectual property and sensitive data.
To learn much more about the nature of people-centric security threats and how successful modern businesses are addressing them, we highly encourage you to you to download the cyber insecurity report.