Latest news
The true scale of the insider threat
Posted on 07 April 2011.
UK employees are likely to either maliciously or accidentally disclose confidential information about their employers to unauthorized personnel.
A LogRhythm survey of 3000 UK workers revealed that 37 percent of people have shared privileged company information with their friends and family, while 21 percent of laptop/desktop-owning respondents stated that they have transferred company data to their personal computer, even though more than half of these devices – 58 percent – were shared with, or could at least be accessed by, other people.
Smartphone users also present a risk, with 14 percent admitting that they transfer work data to their personal handsets.
The research also showed that many employees would leak company information to the media if they thought their employee was acting immorally or illegally, with 26 percent willing to become whistleblowers. A further 34 percent stated that they would report this activity to the police.
When asked about the scale of the security risk posed by employees, 82 percent of respondents stated that they believed the insider threat to be equal to or greater than the threat posed to organizations by external attackers.
“This research shows that there are many ways in which security breaches can occur, regardless of the insider’s intentions,” said Ross Brewer, vice president and managing director, international markets, LogRhythm. “In transferring information to a personal laptop or smartphone, an insider is putting that information at risk of misuse. It need not be deliberate action but simply carelessness that does the damage. Moreover, the willingness of employees to gossip about confidential information with their friends and families, and even to deliberately disclose information to non-colleagues, shows that organisations should be very concerned about the information they make available to insiders.”
The survey also suggests that the security risks posed by employees may worsen in the future, as workers between the ages of 18 and 24 were routinely the worst offenders. They are more likely to transfer confidential information to external devices, particularly to smartphones where figures were 10 percent higher than average at 24 percent. This group was also more likely to share information with friends and family, with 40 percent doing so.
“Despite the readiness of some of those surveyed to reveal confidential information about their organisations, many of those same people also believe that stricter rules need to be enforced and are concerned about treatment of their own information,” continued Brewer. “65 percent of those surveyed worry that their personal data might be misused by banks, shops, local councils or other organisations they interact with. Judging by the risks they themselves take with their own employers’ intellectual property, they are probably right to be nervous.”
When asked about how easy it was to access company secrets, 19 percent reported that there was no policy restricting access to information on the company network, while a further 15 percent said that although there was a policy, it was still possible for unauthorised people to access privileged content. Support for more stringent security procedures was high, with 63 percent favouring strictly enforced policies to prevent unauthorised staff from accessing data, 60 percent advocating disciplinary action for staff in breach of the rules and 52 percent backing the use of technology to monitor access to restricted files.
“While stricter policies and disciplinary action may deter some staff, it is only by continually monitoring networks that organisations can detect anomalous activity and minimise the risks of leaks occurring in the first place,” said Brewer. “For example, deploying a Protective Monitoring system that enables the analysis of log data in real-time means that if a leak were to occur, it would be detected and dealt with straight away. This is vital for minimising the significant reputational and financial damage that can occur as a result of a security breach.”
A LogRhythm survey of 3000 UK workers revealed that 37 percent of people have shared privileged company information with their friends and family, while 21 percent of laptop/desktop-owning respondents stated that they have transferred company data to their personal computer, even though more than half of these devices – 58 percent – were shared with, or could at least be accessed by, other people.
Smartphone users also present a risk, with 14 percent admitting that they transfer work data to their personal handsets.
The research also showed that many employees would leak company information to the media if they thought their employee was acting immorally or illegally, with 26 percent willing to become whistleblowers. A further 34 percent stated that they would report this activity to the police.
When asked about the scale of the security risk posed by employees, 82 percent of respondents stated that they believed the insider threat to be equal to or greater than the threat posed to organizations by external attackers.
“This research shows that there are many ways in which security breaches can occur, regardless of the insider’s intentions,” said Ross Brewer, vice president and managing director, international markets, LogRhythm. “In transferring information to a personal laptop or smartphone, an insider is putting that information at risk of misuse. It need not be deliberate action but simply carelessness that does the damage. Moreover, the willingness of employees to gossip about confidential information with their friends and families, and even to deliberately disclose information to non-colleagues, shows that organisations should be very concerned about the information they make available to insiders.”
The survey also suggests that the security risks posed by employees may worsen in the future, as workers between the ages of 18 and 24 were routinely the worst offenders. They are more likely to transfer confidential information to external devices, particularly to smartphones where figures were 10 percent higher than average at 24 percent. This group was also more likely to share information with friends and family, with 40 percent doing so.
“Despite the readiness of some of those surveyed to reveal confidential information about their organisations, many of those same people also believe that stricter rules need to be enforced and are concerned about treatment of their own information,” continued Brewer. “65 percent of those surveyed worry that their personal data might be misused by banks, shops, local councils or other organisations they interact with. Judging by the risks they themselves take with their own employers’ intellectual property, they are probably right to be nervous.”
When asked about how easy it was to access company secrets, 19 percent reported that there was no policy restricting access to information on the company network, while a further 15 percent said that although there was a policy, it was still possible for unauthorised people to access privileged content. Support for more stringent security procedures was high, with 63 percent favouring strictly enforced policies to prevent unauthorised staff from accessing data, 60 percent advocating disciplinary action for staff in breach of the rules and 52 percent backing the use of technology to monitor access to restricted files.
“While stricter policies and disciplinary action may deter some staff, it is only by continually monitoring networks that organisations can detect anomalous activity and minimise the risks of leaks occurring in the first place,” said Brewer. “For example, deploying a Protective Monitoring system that enables the analysis of log data in real-time means that if a leak were to occur, it would be detected and dealt with straight away. This is vital for minimising the significant reputational and financial damage that can occur as a result of a security breach.”
Spotlight
Is it time to professionalize information security?
Posted on 23 May 2013. | The issue of whether or not information security professionals should be licensed to practice has already been the topic of many a passionate debate.
Review: Logging and Log Management
Posted on 22 May 2013. | Every security practitioner should be aware of the overwhelming advantages of logging and perusing logs for discovering system intrusions. But logging and log management comes with its own set of difficulties.
Experts highlight top data breach vulnerabilities
Posted on 22 May 2013. | Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
