Data breaches caused by insiders can cost you over $15 million

Data losses from insider-driven events are expected to pile up in 2024, with a single event potentially costing as much as $15 million, according to a Code42 study.

The study, which surveyed 700 respondents consisting of cybersecurity practitioners (300), cybersecurity managers (200), and cybersecurity leaders (200) from the US, also indicated cybersecurity staff burnout with respondents saying they spend an average of 3 hours per day investigating insider-driven data events.

“On top of financial, IP, and time losses, data loss events are impacting employee morale, with around six in ten cybersecurity personnel stating their job satisfaction is negatively impacted by data loss events caused by employees (64%), and a similar proportion believe they could lose their job from an unaddressed insider breach (62%),” said Joe Payne, president and CEO of Code42.

Most of the survey respondents said they feared inadvertently exposing sensitive data to competitors through generative AI tools.

Insider-driven data loss on the rise

The study found that, since 2021, there has been a 28% average increase in monthly insider-driven data exposure, loss, leak, and theft events, and the majority (85%) of respondents believed that trend is to continue for the next 12 months.

Insider-driven data loss refers to information leaked by an employer intentionally or unintentionally that can be exploited by external parties. This could involve a range of use cases, Payne explained.

“You name it, we have seen it,” he said. “Salespeople are taking data from Salesforce and uploading it to Dropbox. Finance people are taking corporate financial information and emailing it to their Yahoo accounts. HR folks are using Airdrop to take sensitive salary data. But the fastest growing and scariest incidents we are seeing recently are software developers pushing source code to their own personal cloud repos (like Gitlab or GitHub) using git commands on their endpoint.”

While almost all (99%) of the respondents said their company has a data protection system in place, 78% of cybersecurity leaders admit they have still had sensitive data breached, leaked, or exposed in 2023. Findings also revealed that over the last 12 months, 55% of insider-driven data exposure, loss, leak, and theft events have been intentional, while 45% were unintentional.

Under-skilled and distributed workforce a challenge

Seventy-nine percent of the respondents said their cybersecurity team suffers a skill shortage, leading their companies to turn to AI (83%), of which 92% depended on GenAI tools. These leads to potential insider threats.

Additionally, 73% of the respondents stated that data regulations are unclear, while another (68%) are not fully confident their company is complying with new data protection laws.

“Unclear guidelines may be generic or broad-based regulations that make it difficult to know what technology and processes would make an organization compliant,” Payne explained. “Auditors and cybersecurity teams need to work together to meet compliance requirements in a way that aligns with the needs of their company.”

According to Payne, the three leading factors contributing to insider-driven data losses are the high portability of data, multiple exfiltration channels available in most organizations, and a completely distributed workforce.

“You don’t need to Xerox pages from the file cabinet anymore to steal company secrets,” Payne explained. “Almost everything in a modern organization has been digitized already, (and) the same cloud technologies that allow employees to connect, create, and collaborate also make it faster and easier to leak critical data like customer lists, source code, and IP.”

Additionally, employees working remotely follow poor security practices, using Dropbox, personal Gmail, Airdrop, and many other forms of unsanctioned and unsafe sharing, leading to added threats, Payne added.

GenAI adds to the risks

A large number (85%) of respondents believed that their company’s sensitive data is increasingly vulnerable to new AI technologies. Eighty-seven percent of the responses expressed fears over inadvertently exposing sensitive data to competitors by inputting it into GenAI. An equal number of them are also concerned that their employees are not following their GenAI policy.

“Employees across industries are using AI to streamline their workflows, automate repetitive tasks, and make data-driven decisions,” Payne said. “Any sensitive or confidential data that employees share with these tools flies out of employers’ control and can put compliance obligations and IP protections at risk.”

Survey respondents said they need more visibility into source code sent to repositories (88%), files sent to personal cloud accounts (87%), and CRM system data downloads (90%).

Companies need to have solutions in place that can monitor data movement in the cloud and AI tools, work across platform and system differences, and provide complete visibility into data sources, types, and destinations, Payne added.