The rapid development of the software as a service (SaaS) business model is increasing the threat to the organization’s information systems from its own employees. Insiders, that is, those who work in the organization, used to put the majority of experts in the first place when assessing the dangers that information security systems must confront. Now, with the development of cloud technologies, when many organizations transfer information resources to the clouds, the threat from employees is growing even stronger.
According to a study conducted by BetterCloud, 90% of IT and security professionals are afraid of insiders as a source of threats to the safety of information. At the same time, 46% of respondents believe that the organization’s use of SaaS applications significantly increases its vulnerability to insider actions. Cloud storage itself considers 75% the greatest threat.
The study covered 490 people from various industries. Their positions range from information system administrators to security engineers, and the size of the organizations in which they work ranges from less than 100 to more than 10,000.
Cyber security threats associated with insiders are being implemented in three areas. Firstly, their identification data may be compromised during the actions of external attackers. Secondly, the employee of the organization itself may intentionally seek to harm it, for example, in the pursuit of financial gain.
The third, most common option is the insider’s frivolous attitude towards the storage of important information that is entrusted to him. From conscientious, but careless users, the main threat comes to the preservation of the protected information – this is the opinion of 62% of respondents.
All three of these data leakage mechanisms receive new recharge in the event of the organization switching to SaaS. When an employee of an organization using cloud technologies connects to the corporate network from the outside, he creates new opportunities for anyone who wants to attack this network.
As a result, those who are responsible for protecting information in organizations need to increase employee literacy in information protection issues, apply even more effective technical security measures, and develop strict organizational control measures.