The threat from within
If you have followed CF Systems’ posts and news items you will know that we frequently highlight news of hacking and data breaches – recognised external threats. A recent report from security software vendor IS Decisions has focused our attention on the “threat from within”.
The study, entitled “The Insider Threat Security Manifesto: Beating the threat within” surveyed 250 IT decision makers and found that more than 300,000 internal security breaches took place in UK businesses over the last 12 months – an average of 1,190 per working day(and more than twice that in the US).
Even so, this worrying statistic was still overshadowed by viruses (67 percent), data loss (47 percent) and hacking (39 percent) noted as the biggest security concerns by security and IT managers.
The good news is that these internal security breaches are not necessarily the work of unhappy or disaffected employees who wish to cause the business harm or attempt to profit from their misdeeds – malicious users are the exception rather than the rule.
As Bob Tarzey, Analyst and Director at Quocirca says in his introduction to the IS Decisions study:
“The day-to-day internal security threat faced by most organisations is not due to malicious behaviour; the ‘insider threat’ is most likely to be down to the misuse and poor use of IT. This in turn is often caused by inadequate policies and practices in the first place. A good example is the sharing of usernames and passwords, which exacerbates the problem because issues arising cannot be associated with individual users. Many aspects of the insider threat can be mitigated with investment in tools that monitor and, to a certain extent, control users, for their own benefit and for that of the organisation they work for.”
Interestingly, 42% of the IT managers interviewed for the study considered “ignorant users” to be the greatest threat whilst “tech savvy users” came in second at 12%. Ignorant users are obviously a risk where sensible policies are not in place to outlaw password sharing or put device/departmental restrictions in place. Tech savvy users are a threat for exactly the opposite reason, frustrated by policies and controls they might attempt to work around any entirely sensible restrictions.
A third category that was highlighted was one that perhaps we might all identify with, and not just in the context of IT: over 8% identified senior management as the worst culprits for password sharing, sometimes to be able to delegate work, but more often because they work under the assumption that the rules do not apply to them!
However you categorise the risk; it’s clear that well thought out policies, training, and infrastructure and a sensible approach that helps your staff do their jobs whilst protecting your important company data is absolutely essential.
As Tarzey also said: “It really comes down to defending IT systems using security policies and ensuring that staff understand those policies.”
At CF Systems we provide a range of services that help clients devise effective policies that make their internal practices and data more secure from the threat from within. We also deliver the infrastructure and training that enable companies to have tailored security solutions, designed specifically for their business needs.