Hardly a day goes by without us hearing of the significant risk that external parties pose to organizations reliant on technology systems. But sometimes the biggest risks are staring us right in the face. A recent report from security vendor Vormetric is sobering reading and shows just how much risk is posed by insiders. The Insider Threat Report was produced in conjunction with Harris/Nielsen and the Ovum analyst firm. The survey polled residents of the US, UK, Germany, Japan, Singapore, Malaysia, Indonesia, Thailand and the Philippines. It focused on IT professionals responsible for evaluating, purchasing, or managing information security information technologies and services for their organization and working for enterprises grossing $250 million or more.
In a year that has seen some high profile data breaches (think Target, the iCloud celebrity photo hack, the Sony debacle, Home Depot, JP Morgan Chase and Supervalu among many others) you’d think that external risks are top of mind for these practitioners. Not so. So, what’s the big issue with internal risks and what scary findings came up? For a start, 94% of US organizations polled feel they are vulnerable to insider threats. In other findings:
- 59% of respondents believe privileged users pose the most threat to their organization
- Preventing a data breach is the highest or second highest priority for IT security spending for 54% of respondents
- 46% of respondents believe cloud environments are at the greatest risk for loss of sensitive data in their organization, yet 47% believe databases have the greatest amount of sensitive data at risk
- 44% of respondents had experienced a data breach or failed a compliance audit in the last year
- 34% of the respondents are protecting sensitive data because of a breach at a partner or a competitor
Lead analyst for Ovum, and instigator of the report, Andrew Kellett puts it bluntly when he says that:
The Insider Threat report indicates nearly all of U.S. organizations polled perceive a security vacuum and feel quite threatened. As much as we may have hoped to believe it, the Edward Snowden affair was not our data security pinnacle. According to the report, almost half of the U.S. organizations polled experienced a data breach or failed a compliance audit in the past year – which tells us the situation has probable gotten more complicated.
These findings were backed up by another survey, this one from SolarWinds. In their survey, which focused on the public sector, SolarWinds found that:
- 53% of federal IT pros identified careless and untrained insiders as the greatest source of IT security threats at their agencies, up 42% from last year.
- 64% believe malicious insider threats to be as damaging or more damaging than malicious external threats. Further, 57% believe breaches caused by accident or careless insiders to be as damaging or more damaging than those caused by malicious insiders.
- While 29% of federal IT pros said budget constraints are the single most significant obstacle to maintaining or improving IT security (down from 40% last year), investment is still not increasing for insider threat prevention.
- Although most agencies increased investment over the past two years to address malicious external threats (70%), less than half did the same for malicious insider threats (45%) or accidental insider threats (44%). In fact, some said investment decreased regarding insider threats.
And it seems that people are blind to the lack of efficacy of security regulations. Despite a rash of data breaches among organizations that were considered compliant, nearly 60% of respondents found compliance standards to be “very” to “extremely” effective.
Increasing internal risks, a blind acceptance that existing standards are effective and an ever increasing proportion of critical business being done via the internet – that’s a recipe for disaster in anyone’s book.
This article was written by Ben Kepes from Forbes and was legally licensed through the NewsCred publisher network.