In the second of a series exploring the psychology behind insider data breaches, Egress CEO Tony Pepper looks at the employees who are intentionally taking risks with company data. If you missed the first instalment, click here.
It doesn’t take a malicious mindset for employees to intentionally put company data at risk. In fact, you’d be hard-pushed to find an employee who hasn’t at one time or another found a workaround when corporate security policies put perceived obstacles in the way of them “getting their job done”. Actions such as constantly putting off software fixes or system updates so they don’t have to close applications they’re working in, flouting email security policies, or downloading sensitive data to personal devices to finish work at home may seem innocuous - driven by good intentions, even - but these intentionally reckless acts can have catastrophic effects. A data breach is a data breach and, regardless of whether it is caused by a malicious external attack or a well-intentioned but careless employee, responsibility lies firmly with the organisation and the individual.
Email, in particular, is a minefield where intentionally reckless data behaviours are concerned. Employees working at speed to accomplish tasks depend on email as the ultimate aid to productivity and communication. Nothing gets things moving like a group email, right? In the hands of those who are more worried about hitting their targets than keeping data secure, this can soon lead to a breach.
So, what can CISOs do to address this risk? The first step is identifying and understanding the factors that make up the personality type behind these breaches.
Identifying intentionally reckless personas
The challenge with employees who are intentionally reckless with data is that they can sometimes see themselves in a battle against the organisation’s security policies and tools, which they view as barriers to getting the job done. Or, they feel that they know their way around the organisation’s security systems and are blasé about potential risks, focusing more on completing tasks on time. In both cases, they have a tendency to sacrifice security in favour of productivity and create risk.
In this group, we’ve identified two main personas. The first is dubbed ‘Confident Chloe’. These employees would describe themselves as security-aware, having undertaken the required security training. They consider themselves able spot security pitfalls, and armed with this perceived awareness, these energetic employees are determined to get their job done.
Over-confidence is Confident Chloe’s undoing. These employees have often absorbed the basics of security training, and then go onto believe this makes them experts in data security. This is the result of the Dunning-Kruger effect, a type of cognitive bias in which people vastly over-estimate their skills and expertise, leading to mistakes – and in this case, data breaches. In the case of Confident Chloe, this employee feels like they would be able to detect all instances of risk and, therefore, are happy to cut corners where, for example, they feel security is getting in the way. To compound this risk, the pride that this personality type takes in their work also means they may fail to report a suspected data breach incident, for fear of criticism, repercussions and losing face. Or simply because they don’t think the incident is as bad as it actually is. An accusation of ‘intentional recklessness’ would probably be devastating to this employee.
The second personality type that falls into this category is nicknamed ‘Risky Raj’. Typically, these are busy, long-term employees of the organisation and they are always on the go, working at high speed and impatient with anything that gets in the way of their lengthy to-do list. Getting the job done is the overriding goal for this persona, and they are not averse to cutting corners and taking risks if that is what it takes. This can include using alternative data sharing tools and collaboration to those provided, if they think these will help them be more productive. They have witnessed the introduction of security tools over their years at the organisation, but have failed to fully engage with them, viewing them as a hindrance, not a help.
This persona is likely to avoid using the tools provided because they don’t respect the need for them or because they didn’t have time to attend security training! Their high-speed workstyle also means they are prone to mistakes, such as mis-sending emails due to not spotting address autocomplete errors – which will go in plaintext because they didn’t use the encryption tool provided.
Workplace culture compounds risk
Both these reckless personas flourish in a workplace that has a culture of getting the job done no matter what the cost. If their managers display a similar attitude to security risk and put pressure on employees to deliver results, these personality types typically will not push back with security concerns. Instead they’ll continue to rush and cut corners. And as we know, when productivity is prioritised over security, data breach risk is the result.
Overconfident and impatient employees also have a tendency to view the data they work on in a proprietary way, while rejecting personal responsibility for keeping it safe. 41% of the employees surveyed in our Insider Data Breach Survey 2020 don’t believe that data created or gathered in the workplace belongs exclusively to the organisation and only 37% recognise that everyone has responsibility for data protection. If these common misconceptions are not addressed, risk will persist.
Mitigating the ‘intentional reckless’ insider threat
Armed with knowledge of the psychology of intentionally reckless employees and their inaccurate view of data protection responsibility, CISOs can understand the features required in technologies and strategies to mitigate the issue.
Perhaps the most important factor for these characters is that any tools that are deployed must fit seamlessly and unobtrusively into their workflow. Anything that requires extra steps from the user increases friction and is likely to be ignored or circumvented. For example, tools that automate email encryption and communication channels based on the content being shared and the risk to sensitive data can give the organisation confidence that data cannot leave the organisation in unprotected formats. This takes the decision about when and how to encrypt data out of the hands of the user, relieving them of a responsibility they didn’t want in the first place. We also have to address friction as much as possible within these individuals’ ecosystems as well – for example, removing friction from a recipient’s experience when accessing a secure communication to prevent time-consuming pushback that can lead to data being sent by other, less secure, mechanisms.
To prevent email mis-sends by hasty workers, CISOs can also deploy contextual machine learning that analyses typical email behaviour and detects any anomalies in real time, alerting users only when they inadvertently add an unexpected recipient to an email group, add the wrong document to an email, or try to send sensitive content to an unauthorised recipient. Technology like this are part of a growing category of human layer security solutions that use intelligence to detect and mitigate the risk created by people interacting with sensitive data.
Finally, it is important to create a culture of no-fault reporting, to help the Confident Chloes of the workplace (and, frankly, anyone else!) come forward to report incidents when they occur. However, this should also be supported with compliance tools that give full visibility into risk across the organisation and flag areas of non-compliance in real-time, so issues can be addressed in a timely way and data protected in line with regulations.
As workplace performance continues to become even more important – both to individuals and businesses - during challenging economic conditions, the tension between productivity and security will only grow if organisations don’t adopt tools to resolve it. CISOs must urgently address the challenge so well-intentioned workers can get the job done and achieve their targets without putting the organisation and its data at risk.