Michael D. Moberly March 27, 2009
Today’s security (information asset protection) practitioners are expressing more concern about ‘insiders’ leaking – compromising sensitive company data that they are about ‘outsiders’ breaking (hacking) in and stealing it according to various current studies and surveys.
In a (soon-to-be-published) survey by ‘Dark Reading’ (a sister publication of Information Week) some of the key findings essentially buck a long time trend among information security practitioners who have devoted a significant portion of their career (up to this point) addressing externally originated attacks to company data and sensitive information, e.g.,
– 52% of the survey’s respondents reported they are more concerned (now) about probabilities of internal data leaks (both accidental and malicious) than they are about external threats…
– but still, 44% of the respondents reported just the opposite, e.g., they’re more concerned with external attacks than internal threats…
Also, reported in the ‘Dark Reading’ survey:
– 59% of the respondents expressed belief that their organizations’ were either (a.) likely, or (b.) bound to be infected in the coming 12 months with malware unintentionally introduced by (internal) employees and/or business partners…
– while 52% said it is likely that an employee will ‘accidentally expose’ sensitive company data/information to outsiders, with
– 36% reporting it is likely that their organizations’ sensitive data/information will be exposed due to loss or theft of a laptop or a portable storage device, and
– 29% expect their IT employees to be caught abusing their access privileges for the purpose of ‘looking at’ sensitive data/information that they are not authorized to see.
A 2008 Computer Security Institute survey reported that:
– 44% of all organizations experienced ‘insider’ abuse of computer system, and
– 42% reported ‘laptop’ theft as (now) constituting an insider threat that is the third most common security event to organizations…
Understanding The Insider Threat’ (another Dark Reading report) found that:
– most ‘insider breaches’ are unintentional and are attributed to employees violating policies, circumventing (security) tools and practices…
In a study conducted by Insight Express and Cisco Systems, it was found that almost 20% of users admitted to altering the security settings on company-issued devices so they could access unauthorized websites;
– 24% of these respondents further admitted to sharing sensitive company information with others, and
– 44% admitted to allowing others to use their company-issued devices without supervision.
In yet another new Dark Reading report titled ‘Well Intentioned Employees – And How To Stop Them’ it was revealed that employees can cause breaches (aside from losing laptops) in many different ways, some without realizing it, e.g., insider breaches attributed to common user errors such as falling prey to phishing scams.
The Ponemon Institute, in their recent study, reported that:
– negligence accounts for 88% of insider breaches, and malicious attacks account for only 12%…
Palo Alto Networks (a firewall vendor) conducted an analysis (of insider threats/risks) to find that the source of several recent high-profile (company sensitive data/information) breaches was due to:
– the growing intentional (employee) disregard of company security policies which most larger firms are finding is unauthorized peer-to-peer application traffic!
‘Houston, we’ve got a problem’!!
And lastly, a survey conducted by Cyber-Ark Software reported that:
– 60% of U.S. workers have (already) downloaded sensitive corporate data in anticipation of (their) future layoff
Interesting, this is approximately the same percentage that terminated employees take (proprietary, sensitive company )data and information with them when they leave as previously reported by the Ponemon Institute study.