Insiders Remain Greatest Security Threat - InformationWeek
05:08 PM
Connect Directly
Faster, More Effective Response With Threat Intelligence & Orchestration Playboo
Aug 31, 2017
Finding ways to increase speed, accuracy, and efficiency when responding to threats should be the ...Read More>>

Insiders Remain Greatest Security Threat

Workers and other insiders admit to risky behavior -- such as accessing corporate e-mail from Wi-Fi hotspots -- in a survey by security firm RSA.

The people inside an organization represent its greatest security risk.

That's according to a report (pdf) released on Monday by RSA, the security division of enterprise storage company EMC.

RSA said that the survey was fielded in November and consisted of 126 person-on-the-street interviews (using questionnaires) of government and corporate office workers in Boston and Washington, D.C.

"The findings of the survey underscore that the threat posed to data by well-meaning insiders -- employees, contractors, suppliers, partners, visitors, and consultants who have physical and/or logical access to organizational assets -- greatly broadens that posed by malicious insiders who deliberately leak sensitive data for personal financial gain or other criminal purposes," the report states.

The recent 2007 SANS Top 20, a list of the year's most significant security risks, also noted that computer users tended to be the weakest link in the computer security chain.

What sort of risky behavior are office workers engaging in? Some 52% said they sometimes or frequently accessed work-related e-mail via a public computer, such as a might be found at a Internet cafe, hotel, or airport. And 56% sometimes or frequently accessed work-related e-mail through a wireless hotspot.

Asked, "Have you ever lost a laptop, smartphone, and/or USB flash drive with corporate information on it?", 8% said they had.

And 63% of respondents indicated that they sometimes or frequently send corporate documents to a personal e-mail address in order to work on them at home.

While the RSA report suggests that additional security technology can mitigate these risks -- RSA is in the business of selling such things, after all -- it also acknowledges that the blame for users' disregarding security policies belongs in part with the creators of those policies.

"Organizations can mitigate this risk by developing information-centric policies that acknowledge and align with the needs and realities of the business," the report says. "Once such policies are in place, companies should constantly measure actual user behavior against established policy and use what they learn to inform smart policy changes that minimize risk and maximize business productivity. When security is as convenient as possible for end users, they are less likely to work around security policy."

And the fact is that for many workers, corporate security policies are either not convenient or are poorly understood. About 35% of respondents said that they felt they needed to work around corporate security policies to get their jobs done.

Sam Curry, VP of product management at RSA, said that the survey respondents were "innocent people working hard to do their jobs" and risks arising from their willful or accidental contravention of corporate policy weren't the product of malice. "Security procedures need to be in touch with the realities of human behavior," he said.

Curry stressed the need for user education, to make workers aware of the consequences of their actions. And he also said that organizations needed tools to monitor employee behavior to understand the gaps between policy and worker behavior. Said Curry, "Organizations need visibility into how people actually behave."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll