Dive Brief:

• Though most IT leaders think accidental security risks are more likely, 61% believe there are employees "maliciously" putting them at risk, according to Egress' data breach survey of about 500 U.S. and U.K. tech leaders and about 4,000 U.S. and U.K. employees.
• The majority of IT leaders, 79%, believe employees have unintentionally invited security risk at their companies in the last 12 months, according to the survey. Nearly half of IT leaders expect their company to experience a targeted data breach in the next year.
• The bulk of insider data breaches, 60%, are a result of employees rushing or making mistakes, followed by a lack of awareness at 44%, lack of training or tools at 36% and intentionally leaking data "to harm the organization" at 30%.

Dive Insight:

 Ignorance is security's Achilles' Heel. Insider threats may be scarier when employees don't believe they're doing anything wrong. 

About one-third of companies view security as a threat to business growth, but a single cybercrime can rack up $13 million in cost, not to mention the cost of rebuilding brand trust and image.

The easiest way to address unintentional risk invited by "curious" employees — the ones that fall between malicious and ignorant — is by establishing guidelines of acceptable IT behaviors, including limiting the addition of unsanctioned digital services and allocating privileged credentials.

Companies are increasingly looking to their DevOps teams to engrain security into the development lifecycle. The "shift left" mentality of security in developmental stages affords companies the opportunity of earlier vulnerability detection.

It's tempting to implement new tools like AI and ML to detect nefarious behaviors, but assessing the fundamentals is just as important. Unauthorized machine-to-machine communication from a phishing scheme, for example, is a start. If a company's systems cannot withstand a phishing scam, it's a larger engineering failure.