A SpectorSoft survey encompassing some 772 IT security professionals suggests awareness of data loss is on the increase which we obviously feel is a good thing – we promote security awareness as a whole as being a positive benefit to any business – but respondents suggested that they are still unprepared to tackle the issue.
A shocking 32% of those questioned said their organisation was totally unprepared for an insider attack because they lacked the ability to prevent it.
Over half (52%) of the respondents said they would be unable to determine the potential damage that could be caused by such an attack while 44% of the security pros had no idea how much money their organisation was investing into mitigating the insider threat either right now or in the future.
Around three quarters of those surveyed identified current employees as the most significant threat, either due to their negligence or through malicious desire.
Mike Tierney, chief operating officer of SpectorSoft, told eWeek that:
I think the key first step businesses with smaller IT budgets can take to improve their insider defenses is to not use limited resources as an excuse.
There are no-cost and low-cost, both in terms of dollars and effort, steps that all businesses can take.
Improved internal communication between HR and IT costs nothing, but goes a long ways toward making sure that IT is able to react to elevated insider risk stemming from circumstances that only HR is aware of – like financial hardships, performance plans, and other personnel issues that can lead to disgruntlement.
Tierney went on to list some fairly obvious solutions such as having access controls in place to limit employees’ ability to access business critical data unless they have a need to do so. He also went on to explain how he thought that the insider threat would continue to represent a growing problem until businesses provided adequate investment in solutions, processes and people:
Insider threats are typically more damaging than external, because the insider has been given access and knows exactly what they are looking for. They are typically harder to detect, for the same reasons. I believe increased investment is critical, but should not be done at the expense of perimeter defense. Robbing Peter to pay Paul won’t work here.
Of course solutions and processes are vitally important but people are often overlooked.
Not only do many firms have staff who lack even a basic level of security awareness they often, as the report concludes, have poorly trained staff too, with many of the survey respondents citing a lack of expertise as being a significant problem in terms of defending against insider threats.
Add in the fact that close to a third of the companies represented in the survey lack an incident response plan and it becomes clear that a shockingly large number of organisations remain ill-prepared to deal with any kind of security threat efficiently or adequately.
With more than half of those businesses that do have an incident response plan admitting that it does not factor in any kind of provision for an internally generated attack, it becomes even more apparent that the ‘inside man’ has the potential to wreak havoc in far too many organisations.
So what are companies doing to mitigate this potentially serious threat?
The answer appears to be not a lot – budgetary constraints and a lack of suitably trained staff remain a problem for many organisations and 28% indicated that insider threat detection was not even on their radar.
Given the damage that can be caused by employees acting without any intended malice, can your organisation afford to ignore the potential issues that could be caused by a deliberate saboteur, thief or disgruntled worker?