I
L
T
A
W
H
I
T
E
P
A
P
E
R
|
S
E
C
U
R
I
T
Y
&
C
O
M
P
L
I
A
N
C
E
12
U S I N G E M P L O Y E E E N G A G E M E N T A N D T E C H N I C A L C O N T R O L S T O R E D U C E I N S I D E R R I S K
I
n an increasingly digital world, cybersecurity for the information and data that law firms
and other counsel are entrusted with is more important than ever. Complex passwords,
multi-factor authentication, and firewalls are essential defense mechanisms, but they often
fail to address a significant risk vector: the employee, an insider. Optiv defines insider risk
as "the potential for an employee or other person with legitimate system and data access
to negatively impact an organization's people, data, or resources" (Insider Risk | Optiv).
Ponemon Institute's 2023 Cost of Insider Risks Global Report (Ponemon Cost of Insider Risks
Global Report - DTEX Systems Inc) notes that the costs of insider risk are at an unprecedented
high. In 2023, the average annual cost of a data breach from insider risk was $16.2 million per
organization, up from $15.4 million in 2022. Typically, these data breaches take about three months
to contain. Moreover, the 2023 report revealed that the most significant costs of insider-related
data breaches are accrued after the incident occurs due to containment and remediation efforts.
While insider risk can never be eliminated, it can be reduced through technical and non-
technical controls and by leveraging employee engagement.
Insider Risk Explained
When exploring how to reduce insider risk, it is vital to understand the differences between
unintentional insider risk and intentional insider risk. Organizations experience harm from
unintentional insider risk when an employee or another person closely associated with the
organization is negligent or becomes complacent when handling data. Careless insiders can
compromise data security by losing a laptop with unencrypted data, sharing a password with an
unauthorized individual, clicking links in a suspicious email, or any other negligent act where
due regard for data security is not observed. Complacency can also contribute to unintended data
loss when insiders fail to follow proper security protocols, such as not updating applications and
operating systems, dating applications and operating systems, using or reusing weak passwords, or
not following data deletion best practices. In 2023, these non-malicious insiders accounted for 75%
of all insider risk incidents (Ponemon Cost of Insider Risks Global Report - DTEX Systems Inc, p. 5).
Using Employee
Engagement and
Technical Controls to
Reduce Insider Risk
by Scott Busch, Ethan Powell and Joshua Smith