Businesses appear to me moving toward a stronger focus on insider threats and more understanding of cyber-security issues at the board level, according to a Nuix survey of 30 IT security officials.
The report found that there's a greater focus on insider threats since the first report was conducted in 2014, with nearly three-quarters (71 percent) of respondents reporting that they have an insider threat program or policy, and 14 percent said that they allocate 40 percent or more of their budget to insider threats.
The survey also found people to be almost universally thought of as the biggest weakness in information security, ahead of technology and processes—of the respondents that reported to have an insider threat or policy, 70 percent offer employee training to minimize risk.
"The first agenda item for businesses with limited budgets is understanding that this is not merely an IT issue," Keith Lowry, senior vice president of business threat intelligence and analysis at Nuix, told eWEEK. "It is a risk management issue that must begin in the boardroom and C-levels. IT is extremely important, but this issue goes well beyond the typical IT departmental authorities, capabilities, experience and training."
According to Lowry, the next agenda item to tackle is a training and awareness programs, noting training begins at the board room and C-suite, including managers and all employees.
"Proper training and awareness programs are proven, effective ways of preventing the unwitting employees from falling victims to improper cyber health habits," he said. "It also informs those witting employees that they are being watched, thus giving them pause to continuing their plans."
The third item is to authorize and empower a single entity within the organization with the ability to counter insider threats wherever they appear within the organization, he said.
"Too often, interdepartmental strife and competition prevent swift and agile response to threats," Lowry said. "The best way to create, authorize and empower this entity is to engage all stakeholders in its creation, so there is agreement and understanding of the countering insider threat efforts. Member stakeholders should include general counsel, privacy, civil liberties, IT, HR, admin, operations and security, to mention a few."
Lowry explained that organizations must prepare themselves and understand their workforce, systems, critical value data, contractors and other third-party vendors to ensure appropriate risk management decisions are made.
"In 2016 and beyond, organizations should prepare themselves to be agile enough to not merely defend against these attacks, but be smart and prepared enough to counter threats dynamically," he said. "Organizations should look beyond compliance and static answers to these evolving threats."