A lot of people are looking forward to putting 2020 in their rearview mirror: I know I am. Unfortunately, when it comes to data security, we won’t see much immediate change once the calendar turns to 2021. The majority of knowledge workers will continue to work from home, the job market is unlikely to rebound anytime soon, and COVID fatigue will make compliance with lockdown restrictions a tough sell. Add it all up, and it’s almost certain to create the perfect environment for an explosion of insider threats well into 2021.
I’m not alone in sending out the warning flares. Forrester predicts that our new remote work lifestyles will lead to insider threats being the cause of 33% of all data breaches in 2021 – up from 25% in 2020. Our own research from the Data Exposure Report puts that number even higher – with 59% saying insider threats will continue to increase in the next two years.
Insider risks are not a new threat vector, but they have become much more widely discussed over the past decade as high-profile leaks from Twitter, Waymo, and the CIA, have earned notoriety. The rising threat and resulting media coverage should be used as a call to arms for the industry to finally take insider risks to data more seriously. Despite the fact that two-thirds of data breaches involve an insider, only 10% of security budgets are addressing this problem. Will 2021 be the year that changes?
Let’s take a look at some trends and how likely they are to move the needle in terms of public awareness and industry action.
Insider incidents will increase in 2021. COVID-19 forced companies to redeploy their workers and other resources on a massive global scale, practically overnight. In many cases, digital transformation was accelerated and has enabled a more collaborative, productive work culture that has resulted in long-term business resilience. The downside is that data now flows freely on the edge of the network, outside the hardened perimeter, making it easier and less conspicuous to exfiltrate corporate information – a recipe for an increase in insider risk incidents.
The public sector will be at the forefront of insider threat protection. Insider breaches within the public sector highlight the growing threat across all levels of government. With the transition to a new administration already underway, and recent nation state attacks at the forefront of minds, we can surely expect an increase in federal budget allocation to address cybersecurity and insider threats, likely followed by a similar increase within the private sector.
The lines between internal threats and external threats will continue to blur. What looks like an internal threat could actually be an external actor posing as an employee. What could look like an outsider accessing privileged files at 9 pm at night could actually be a tired employee that was trying to catch up on work after the kids went to sleep. The lines get even more blurred as we think about IP and trade wars and the possibilities for insiders for hire. In these cases, it often takes a combination of people, process, and technology to understand where the risk lies, what the real risk is, and how to mitigate it.
We’re also reaching the limits of what technology can do for security. Even next-gen technologies like Security Orchestration, Automation, and Response (SOAR) can only do so much. If real change is necessary, and I think it is, it won’t come from amazing new technology. It needs to start with a change in attitude. In the pendulum that swings back-and-forth between technology solutions and people/process updates, we’re about to shift our focus back towards what humans and culture can do for a company’s security posture. That is a good thing.
We’ll see the rise of chief change agents and risk officers. Digital transformation requires a fast-moving, collaborative culture, but unchecked speed and agility can increase risk. Striking a balance will need to come from the top. The way we work has changed significantly in 2020, and the C-Suite is soon to follow in 2021. In the past, the CISO and the CIO frequently found themselves at odds. While the CIO supports the CEO’s collaborative-culture vision by adding tech designed to facilitate collaboration, the CISO focuses on mitigating risks involved in that collaborative tech. In the future, organizations that include “chief change agents” and risk officers will be better prepared to digitally transform and adapt to the unforeseen challenges of 2021 while keeping employees secure. Change agents in these new roles must understand that collaboration and security are mutually supportive. Without collaboration, achieving a competitive advantage is impossible. Without security, maintaining that collaborative culture and competitive advantage is also impossible.
In the past, traditional security has been all about security, compliance and governance. But digital transformation, the Future of Work and COVID-19 have given us an opportunity to radically rethink how organizations strike a balance between collaboration and risk management. 2020 was horrible for so many reasons, and things aren’t looking much better in 2021. It’s up to us, the security industry, to take advantage of this opportunity and enable business transformation in a safe, pragmatic manner.