Expert insight from our head of GRC consultancy
Our analysis of the ICOâs (Information Commissionerâs Office) public data set found that 29â35% of reported personal data breaches between 2019 and 2023 in the UK had been caused accidentally.
That is, the incident type was one of:
- Data posted or faxed to incorrect recipient
- Data emailed to incorrect recipient
- Failure to use Bcc
- Failure to redact
Sector patterns
However, when we investigated the sectors suffering the most accidental breaches, we found that the entire top 3 comprised the public sector, with numbers as bad as 36.4%, 40.4% and 57.1% of all data breaches caused through human error.
When we asked Damian Garcia, our head of GRC (governance, risk and compliance) consultancy, why that might be, he suggested that the public sector is no more likely than others to suffer this type of incident.
Rather, government entities are more likely to report it, while private-sector organisations are more incentivised to cover up smaller breaches to avoid bad press.
Taking this into account, more than a third of all data breaches may be caused by human error.
Other types of insider threat
These figures become worse when you consider staff making other types of mistakes, like falling for a phishing attack. Verizonâs 2024 Data Breach Investigations Report found that 68% of data breaches involved a ânon-malicious human elementâ, such as human error or falling for social engineering.
This 68% figure still excludes threats like malicious insiders (more on that later).
In this interview
Put the pieces together, and you get a sense of the scale of the insider or internal threat.
To learn more, we talked to Damian about:
What is the insider threat?
Many people misunderstand the terms âinsider threatâ or âinternal threatâ. People often think of malicious insiders, but these are only a subset of the internal threat. Could you elaborate?
The misunderstanding goes beyond just the internal threat.
Historically, when people hear âcyber attackâ or âcyber criminalâ, they envision a person in a hoodie on a computer, trying to hack their way into someone elseâs device.
Today, most people understand that this is a dated view, but many still fail to realise that the biggest threat lies within the organisation itself â the insider threat.
What is the insider threat, exactly?
You can break it down into two camps: malicious and accidental. Both, however, originate from staff, whether thatâs someone clicking a malicious link, sending data to the wrong recipient, or deliberately stealing money or data from the organisation.
If it originates from a legitimate userâs account and can cause harm to the organisation, youâre looking at the insider threat.
Why are insider threats an issue?
Your Masterâs thesis focused on the insider threat. Why did you choose that topic?
As I talked to more experts in the field, I realised the scale of the insider threat problem.
For instance, I had the opportunity to work with a large UK charity, whose workforce consists mainly of volunteers. Their head of information security made a point about how most of their people are working for this charity out of pride. They want to help â theyâre not likely to be malicious.
But this charity was having a massive problem with accidental breaches â people clicking phishing links, people not logging out of their terminals, stuff like that. Accidental breaches were by far this charityâs biggest problem.
How come? Why were accidental breaches such a big problem?
The workforce was quite diverse â some worked in an office and were very familiar with computers and how to use them. But others were manual labourers, who lacked IT literacy. They were very knowledgeable in their field but knew little about computers and the associated risks.
That is part of the challenge â how to tackle the insider threat when you have a diverse workforce.
The other problem is that youâre more likely to trust an insider â theyâre supposed to have access to confidential systems and information. So, if something goes wrong with that account, it can do a lot of damage. It may also take a while before you realise that something is wrong.
Sector trends and patterns
Do charities have more trouble with the insider threat than other sectors?
Quite possibly, but the same applies to other sectors less likely to invest in their people.
Out of all the ways you can address the internal threat, staff training is the most obvious solution. If you donât invest in basic training and awareness, youâre going to suffer more data breaches. It really is that simple.
Plus, charities tend to have that diverse workforce â so, theyâre more likely to have people who arenât very knowledgeable about computers. To be clear: thereâs nothing wrong with that â we all have our own strengths and weaknesses â but you do need to teach those skills.
It comes down to understanding the risks that the organisation faces to its information assets, then figuring out how to address and manage them.
What other sectors are more likely to have a big problem with the insider threat?
I work with a lot of councils. You see a similar pattern as with charities: diverse workforces, good cyber hygiene isnât a given, and staff training can be limited and ineffective.
So, by extension, smaller organisations are also more susceptible to the insider threat? Because they canât afford â or rather, think they canât afford â to invest in staff awareness training?
Absolutely. If I was a cyber criminal, without a doubt, Iâd focus on small and medium-sized organisations. They typically lack the funds to invest in cyber security, making them easy targets.
They also tend to see their data as not worth very much, so donât see why theyâd be the focus of an attack.
Staff training is one of the most cost-effective measures that an organisation can take to reduce the risks it faces from the insider threat.
Our Phishing Staff Awareness Training Programme offers world-class content for a competitive price, developed by experienced and knowledgeable industry experts.
The course is quick to deploy, easy to repeat and convenient for your staff. Taking just 45 minutes, itâll help employees spot the signs of common threats like phishing.
It also explains the importance of staying alert and teaches staff what to do if they think theyâve been attacked.
Malicious insiders
Staff awareness training is a way to address accidental breaches. What about malicious insiders? How can organisations protect themselves from that type of insider threat?
The first step is to understand why someone might turn malicious. Why might an employee wish harm on your organisation? Typically, thatâs a disgruntled employee. So, a way to mitigate that risk is to look after your people.
Another angle you should consider, to better understand the risks that your organisation faces, is the respective level of technical knowledge of your staff.
For instance, an unhappy receptionist poses a vastly different threat to cyber or information security compared to an unhappy system administrator.
So, if you have someone whoâs technically competent, pay attention to whether theyâre happy. If they exhibit signs of poor performance and being disgruntled, put extra measures in place to ensure theyâre not taking steps to cause problems for your organisation further down the line.
What about a blackmailed, rather than a malicious, employee?
Thatâs possible too, particularly if youâre an organisation more likely to be targeted by nation state actors. Central and local government and critical infrastructure organisations are top of the list.
For my research project, I interviewed various industry experts. This included a cyber security expert who worked for the UK government, who advised organisations that are a part of the UKâs critical national infrastructure on how to protect themselves.
He advised that the greatest risk organisations face from the insider threat is when people leave, and the organisation doesnât take steps to immediately revoke the individualâs access to its systems.
This is critical when you have a disgruntled employee whoâs extremely technically competent, such as a system administrator.
Security culture
Good leaving procedures and staff awareness aside, how else can organisations defend against the insider threat?
Culture is very important. You want a culture thatâs security-aware and where all members of staff [not just IT] acknowledge they have a part to play in security.
Also, you mustnât punish people when they make an honest mistake. So, to be crystal clear, if someone accidentally clicks a phishing link, do not punish them!
You want to encourage your staff to report incidents right away, so you can investigate in a timely manner.
That seems rather obvious. Do organisations really punish staff for making that type of mistake?
Yes. I worked with a client based overseas that had a very interesting â a very male-dominated â culture.
This company wanted to put a procedure in place that automatically disciplined anybody who caused a cyber incident, such as clicking a phishing link. That type of approach fitted with their culture.
I asked them to reconsider their approach.
Without going into too much detail, this company was likely to be targeted by well-crafted social engineering attacks. And if someone does fall for one, you want them to call it out as quickly as possible! Because the longer a problem carries on, the worse it could become.
Detecting the insider threat
How can you detect the insider threat? Besides people reporting accidental breaches, like clicking a phishing link?
First, you need to establish a baseline â the ânormalâ pattern of behaviour. Then you can identify red flags â when your tools are catching behaviour falling outside those normal patterns.
For instance, would you expect your London-based employee to log in from mainland China at 3:00 am? Would you expect to see terabytes of data leaving your systems at 4:00 am? Either of those suggest you may have a problem, requiring some form of response.
Itâs important to have both these types of automated monitoring tools, as well as staff training, email filters, and all sorts of other preventive measures â in short, cyber defence in depth.
Overlaps between the internal and external threat
What youâre saying about security monitoring, email filters, and so on doesnât sound that different to how youâd address the external threat.
Yes, the two arenât completely separate. They are distinct, of course, but you have to implement controls that apply to both. Security monitoring is one. Another is access control:
- Do you have role-based access control?
- Are you following the principle of least privilege?
- Are you only granting access on a need-to-know basis?
Regardless of whether someone brute forces a user account [external threat], or youâre dealing with a malicious insider, you want to give people as little access as possible.
What other technical controls work for both internal and external threats?
Segmentation and segregation are good. Again, limit the access people have to things, whether an authorised user or not. Zero-trust architecture will also help with that.
But the most important thing is to not rely on just one control. Take a defence-in-depth approach â get multiple layers of measures working together, making up for each otherâs weaknesses.
You can never know where the next attack or threat might come from. Who might turn malicious, what might turn bad, who may want to harm your organisation.
So, the more defences you have in place, the more protected youâll be.
Want to identify risks within your internal systems?
Our Internal Infrastructure Penetration Test contains a mix of advanced manual testing techniques and automated scans to simulate real-world attacks, so you can identify risks within your systems.
Weâll assess:
- Patching
- Passwords
- Encryption
- Configurations
- Authentication
- Network traffic
- Information leakage
At the end of the test, youâll receive a comprehensive report containing a high-level, non-technical summary of the risks to your business, as well as detailed descriptions of each technical vulnerability our consultant identified and remediation advice.
About Damian Garcia
Damian has worked in the IT sector in the UK and internationally, including for IBM and Microsoft. In his more than 30 years in the industry, heâs helped both private- and public-sector organisations reduce the risks to their on-site and Cloud-based IT environments.
He has an MSc in cyber security risk management from the University of Southampton. Damianâs dissertation focused on the insider threat. He received a distinction for both.
Damian maintains various professional certifications. As our head of GRC consultancy, he remains deeply committed to safeguarding organisationsâ information and IT infrastructures, providing clients with pragmatic advice and support around information security and risk management.
We hope you enjoyed this edition of our âExpert Insightâ series. Weâll be back soon, chatting to another expert within GRC International Group.
If youâd like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter. Alternatively, explore our full index of interviews here.
