Forrester: To stay secure, employers must balance insider threat protection and employee rights

Dive Brief:

Employers should balance the need to eliminate insider data threats with protecting employees' privacy, according to an online survey shared with CIO Dive's sister publication, HR Dive. The research, from Forrester Analytics Global Business Technographics Workforce Benchmark, included 7,388 respondents from eight countries.that
The survey showed that in 2015, workers caused 26% of the data breaches in the respondents' organizations, a statistic that rose to 48% in 2019, according to previous surveys from the organization. Insider threat protection programs "must account for the growing protections for employee privacy."
Forrester said a successful insider threat program requires open communication, clearly defined objectives and avoiding the prioritization of security over productivity.

Dive Insight:

Last year was dubbed the "worst year on record" for reported data breaches. Malicious insider threats contributed to almost 7 billion exposed records in the last 18 months.

But, nonmalicious insiders are more common in data breaches.

As the Forrester report noted, treating workers like criminals and over-monitoring their personal activities could undo strategies for engaging them.

In a June HR Metrics & Analytics Summit study, 80% of employers said they use employee records and data to measure a range of worker activity, from retention and turnover to recruitment and engagement.

The study also found that this use of data raises ethical concerns.

While employees accept being monitored for work-related activities, 72% of employees reject surveillance over social media use, personal interactions and moving around the workplace.

The majority of IT leaders believe security threats are more likely accidental than malicious. Unintentionally inviting cyber risk into a company, however, can have dire consequences.

The majority of insider data breaches, 60%, result from employees rushing or making mistakes, according to research from Egress. A lack of awareness or training are another reason for unintentional breaches.

Still, almost one-third of data breaches were done by employees intending to harm the business.

Privacy watchdogs calculate fines based on intentional or negligent infringements, but so-called "curious" employees — the ones between malicious and ignorant — contribute to a risk appetite a company is uncomfortable with.

The ethical challenges involving data breaches and protecting employees' rights may call for HR leaders' involvement, but according to a GetApp survey released in November, most HR professionals aren't serious enough about data security.

One-third of respondents said they're operating without a policy to protect employees' data, and of those with a written policy, 44% said their greatest challenge is getting workers to comply with it.

To fill gaps in employee cybersecurity hygiene, companies have the option of establishing acceptable IT behaviors and privileged credentials.

If gaps remain, looking to DevOps teams to integrate more security into the development lifecycle is also an option. The "shift left" mentality in cybersecurity could allow for earlier threat detection.