Use These Facts to Make the Business Case for Funding an Insider Threat Program
According to EY's 2015 Global Information Security Survey, the overwhelming majority of businesses today believe their security protocols related to insider threat are not up to standard. So why is it that insider threat programs rarely get the funding needed? While building an insider threat program is on the agenda for most companies, it normally doesn’t make it to the top of the priority list. One of the top three reasons Insider Threat Programs don’t receive funding is due to LACK OF EXECUTIVE AWARENESS OR SUPPORT. Gaining executive buy-in and sponsorship can be the biggest hurdle to resourcing the level of security your company needs. It’s up to you to ensure your leadership is aware of the facts about insider threat, and why now is the time to do something about it.
- It’s not just an IT issue. One of the main reasons insider threat programs don’t get the attention they deserve is that the majority of boards still believe insider threat is only an IT issue. Insider threat is much more comprehensive than just one department; it involves Information security, IT, Human Resources, Public Relations, ethics, counterintelligence, Physical security, and executive management involvement and engagement. Predictive and observable indicators of insider threat are not limited to the IT realm. Insider threat often goes undetected because indicators may emerge in various areas of a business -- HR, facilities, finance, and others. An effective insider threat program must be cross-functional and address issues throughout many departments in order to raise flags even before security violations occur.
- Know the cost. Business leaders may not realize that the cost of cleaning up and recovering after a data breach is much more hefty (and possibly catastrophic) than the cost of establishing an insider threat program. A 2013 Forrester survey found that the average cost to remediate an insider threat attack is just under $500,000 and with an average of 3.8 attacks per year, costs could go up to $1.7 million annually. The Ponemon Institute's 2015 Cost of Data Breach Study found that cases of insider threat attacks multiply every year with increasingly valuable data leaked. Each year, the cost to recover from an attack also raises.
- The real threat. There are many possible motives for a data breach. Information can be leaked from within the company either intentionally or not. Some of the most damaging incidents of insider threat attacks have been from well-meaning employees who didn’t handle sensitive information properly. Does your company know which one is more of a risk?
Diagram via Kroll's 2016 Special Report: Annual Data Breach Trends
- What’s the trend? Addressing insider threat through a dedicated program is essential for companies of all sizes and types. Private, nonprofit, small, large and everything in between: PWC's key findings from the 2015 US State of Cybercrime Survey noted that organizations are increasing their investments in security. Businesses are recognizing the growing importance of information and the need to protect it. Large businesses and retailers have had issues with data breaches due to insiders and are now increasing spending by more than 20% on building tighter security protocols. What's the trend in your industry?
There are many benefits to funding an insider threat program, beyond protecting information. Through the creation of an effective insider threat program, sensitive data will be more traceable and your employees will have a clearer understanding of how to avoid accidentally compromising valuable assets. Hiring practices will be more controlled and employees will be vetted and screened more strategically. Ethical issues regarding sensitive data will be addressed before issues arise. Creating an insider threat program is more than just complying with federal regulations or jumping on a trendy bandwagon; it’s good practice for any business.