Are Insider Threats A Cyber Security Risk In The Workplace?

In a new study from ObserveIT, more than one third of 18-24-year-olds report that they don’t know nor understand what is included within their company’s cyber security policy.

The disconnect between cyber security awareness and insider threat risk, and the differences in generational cyber security awareness within the workplace, are the focus of a new study from ObserveIT. For the Multigenerational Workforce and Insider Threat Risk study, ObserveIT surveyed more than 1,000 full-time employees ages 18-65+ at organizations with more than 500 employees on their understanding and awareness of cyber security programs. The majority (65 percent) of respondents reported they understand the definition of an insider threat.

Insider Threats cyber security
(Image: ObserveIT)

The survey found that 64 percent of respondents agree careless employees or contractors are the most common cause of insider threats. This directly correlates with recent data from the Ponemon Institute showing negligent insider actions caused 64 percent of all insider threat incidents in the past 12 months.

The Ponemon data also shows the risk posed by insider threats is growing year-over-year. Since 2016, the average number of incidents involving employee or contractor negligence has increased by 26 percent and the cost to contain an incident in North America has risen to $11.01 million.

The fact that employees self-report understanding insider threats and adhering to cyber security policies, while insider threat-related incidents continue to rise, indicates organizations may have a false sense of security based on their expectations of employees’ understanding of insider threats. Lack of consistent understanding around the risks posed by insider threat activity can introduce accidental or negligent insider threat behavior within the workplace. And, the increased risk of insider threats is costing organizations significant money and resources as these threats can be difficult to detect, identify, and prevent without the right processes and technology in place.

“While the threat of the insider continues to grow, this research proves that when it comes to cyber security awareness and insider threat prevention, organizations need to take a holistic approach to cyber security and focus on people first, then processes and technology,” said ObserveIT CEO Mike McKee. “With a new generation entering the workforce, organizations should increase security awareness training for new hires and implement processes and technology to ensure both employees and contractors with access to systems and data understand and adhere to the company cyber security policy to prevent insider threats.”

Key findings from the survey include:

  • The Risk of the Accidental Insider: Almost two-thirds (61 percent) of respondents say they know what an insider threat is. However, this points to the dangers posed by naïve employees who may not understand the hidden dangers of insider threats, or who may only define insider threats as purely malicious in intent rather than malicious and negligent behavior.
  • The Generational Divide: Generation X and Baby Boomers are the least risky generations within the workplace, as 90 percent of 45-54-year-olds and 55-64-year-olds report they follow their company’s cyber security policy.
  • Entrants to the Workforce Present Challenges: Generation Z poses the highest overall cyber security risk to organizations, as more than one third (34 percent) of 18-24-year-olds report that they don’t know nor understand what is included within their company’s cyber security policy. This group was also the most likely of any generation to report that they do not follow their company’s cyber security policy, even if they do understand it.