Employees Remain Top IT Security Risk

The same technologies that recast datacenters as the core of wide-reaching corporate networks have also introduced a host of new security risks from both inside and outside the firewall.

Cloud computing, BYOD, mobile computing, social networks and other increasingly common tools allow employees to do far more with far fewer IT resources—as well as vastly increase their ability to damage their employers by letting sensitive data slip out through the same holes they use for Facebook, LinkedIn, bittorent sites and, sometimes, SaaS-based business apps they use to do their jobs.

While it’s not clear if top corporate managers really understand the scope of the communication technologies available to employees, it is clear that those board-level managers are certain of the source of the gravest risks faced by the corporation: employees.

According to a survey conducted by U.K.-based IT management consultancy IT Governance, 53 percent of top managers said employees pose the greatest risk for data loss or other digital crimes. The next-closest category—actual criminals—were named by only 27 percent of respondents, while state-sponsored cyber-attackers got 12 percent of the mentions and competitors brought up the rear with 8 percent.

The survey included the opinions of only 260 respondents—who selected themselves as subjects by signing up for the IT Governance survey, which was conducted online.

Insiders have always been considered the most consistent source of security breaches. They know where the valuable information is and already have access to it. Of almost 900 organizations studied by CheckPoint Technologies for a report published in January, 54 percent suffered at least one potential data-loss incident, but not from the usual culprits named in risk profiles, or even those that had already infected the company.

According to data CheckPoint gathered by monitoring more than 120,000 hours of online activity, people at 91 percent of companies studied had used P2P file-sharing networks or other applications that posed a direct risk of infection from malware. In light of that, it should be unsurprising that 63 percent of the companies studied were infected with bots and 75 percent had at least one user visiting malicious Websites.

The heaviest flow of data leaks didn’t come from infections by the careless online behavior of employees—which is often cited as the source of malware and bot infections.

On average, each incident of purposeful fraud—not just mailing sensitive data outside the firewall—cost the company $382,000, and 93 percent were carried out by non-technical employees, according to 2012 edition of the annual “Insider Threat Study” of fraud in financial services, a report published annually by Carnegie Mellon University’s CERT Insider Threat Center, which also issues guides to mitigating the threat of insider theft and data theft.

Most insider methods lack technical sophistication, involve one employee acting alone and were discovered by audits, customer complaints or the suspicious minds of co-workers, the report read.

Intrusion detection systems and data-loss protection are not the answer.

Security is not a surprise to most of the companies victimized. Seventy-seven percent said they have intrusion-detection or other systems to detect and respond to security threats, IT Governance figures showed. It’s likely, however, that lack of oversight by senior management is to blame for at least some of employees’ tendency to ignore security policies.

While board members are responsible for supervising companies responsible for enforcing information-protection guidelines in PCI, HIPAA and other industry or government requirements, most don’t know enough about security to do that consistently. According to IT Governance, only 5 percent of top managers said they were briefed on security incidents or risks ever day. Eleven percent are briefed weekly; 33 percent are briefed monthly; 52 percent are briefed only once per year.

Worse, while 25 percent said their companies had been hit with at least one “concerted attack” during the previous year, that number may be far higher; 20 percent didn’t know if the company had been attacked at all.

“In the face of the rapid development and deployment of new cyber-threats, such infrequent executive oversight of IT security status seems alarmingly casual,” according to Alan Calder, CEO of IT Governance in the statement announcing release of the study. “In the boardroom, many companies still appear too removed from the action for directors to meet their governance obligations.”


Image: pedrosek/Shutterstock.com