Code42’s study goes into detail about the risks facing cybersecurity leaders and practitioners in the wake of the Great Resignation.
While The Great Resignation has caused many employees to leave their jobs abruptly due to focus on their own mental health, this shift in employee numbers has prompted concerns with the way business leaders view their cybersecurity. According to Code42’s Annual Data Exposure Report, 98% of business leaders, cybersecurity leaders and cybersecurity practitioners have cybersecurity concerns with the current levels of turnover within their workforce.
Insider security risks
Insider risk is defined as any user-driven data exposure event, either malicious, negligent or accidental in nature. The report details how companies’ data and intellectual property (IP) can be compromised by the number of outgoing employees spurred by the pandemic.
The trends shown in employee turnover have created a number of challenges in keeping valuable data safe, as businesses are concerned that the Great Resignation is a catalyst for departing employees to unknowingly or intentionally expose, leak or exfiltrate IP. Nearly three-quarters (71%) of the 700 business leaders surveyed said they do not have visibility as to what and how much sensitive data is taken to other companies, and the same percentage say they are concerned about personal data saved in the cloud, on personal devices and hard drives.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
According to the report, there is a 37% chance that the company an employee leaves will lose their IP, with departing employees making up the second-largest cause of a successful data breach, only behind hackers (45%). With cybersecurity and business leaders concerned about this potential loss of IP, the report posits that having an internal risk management program is not enough when programs are challenged with protecting against insider risks.
In addition, over half of the respondents (55%) stated they were concerned about employees potentially becoming lax with their cybersecurity practices in new hybrid environments, and 96% of those polled said their companies need to start providing improved cybersecurity training for workers. Nearly one-third of those who responded said additional or improved training was simply not enough, and a complete overhaul of their companies’ cybersecurity practices was needed.
Factors for concern
As the fallout of the Great Resignation is still being felt by many enterprises, there are four main concerns raised by Code42’s report. As 4.5 million employees left their jobs in November 2021 alone, this has created the first big challenge for industry leaders in protecting their data. Many employees leaving their roles have accidentally or intentionally taken data with them to competitors within the same industry, or even sometimes leveraged their former employers’ data for ransom. Business leaders are concerned with the types of data that are leaving, according to 49% of respondents, and 52% said they are concerned with what information is being saved on local machines and personal hard drives. Additionally, business leaders are more concerned with the content of the data that is exposed rather than how the data is exposed.
Another major concern comes in the form of a disconnect when it comes to the problem of employees leaving in droves, creating uncertainty about ownership of data. Cybersecurity practitioners want more say in setting their company’s security policies and priorities to the company since they are dealing with the risks their employers face. Leaders in the cybersecurity sector are stuck between deciding whether to spend more time working with their teams for on-the-ground insights or addressing compliance issues. Of those surveyed, 58% practitioners expressed they do not feel as if their leaders communicate their company’s vision to the rest of the team, and 57% of practitioners said they are not consulted about decisions that are made based on their companies’ strategies.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
The next issue centers around companies needing better understanding of data movement, and how enterprises need better contextual visibility on what information is being taken when employees leave a role and how impactful the taken information is to the business itself. Only 21% of respondents said their current cybersecurity budgets go to insider risk management (IRM), but on a positive note, 65% said they believe their budget for IRM will increase in the coming year. As the need for an IRM program becomes clear, 61% of companies are currently utilizing an IRM program, and 36% said their company was likely to implement one in the future.
The final major concern stems from the fact that some employees are unaware of the risk posed to the company, as employee security awareness poses a large challenge even with enterprises investing time training its employees on how to remain as safe as possible. Over half of those polled (55%) said they were concerned about employees becoming lax in their cybersecurity practices and protocols, and 70% of those in the public sector said they were concerned about this issue. To help combat this, companies can mitigate risk by changing users’ behavior through additional training and creating a workforce more aware of the risks posed by hybrid work. Additionally, the frequency and quality of training are two important variables that employers are needing to consider when discussing risk mitigation with their employees.