Security Threats Hiding In Plain Sight - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // Security & Risk Strategy
News
6/3/2016
07:06 AM
Thomas Claburn
Thomas Claburn
Slideshows
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Security Threats Hiding In Plain Sight

IT professionals would rather manage external threats than worry about insiders, a recent survey by Soha finds. But singular focus when it comes to security can end up being a costly mistake.
Previous
1 of 6
Next

(Image: TBIT via Pixabay)

(Image: TBIT via Pixabay)

Data breaches have become so common that it's easy to overlook them. There were 781 known data breaches in 2015, according to the Identity Theft Resource Center, enough to read about mistakes being made twice a day if the media chose to write about every incident. Websites like haveibeenpwned.com list dozens of breaches affecting high-profile websites.

Almost anyone active online for a few years is likely to have received multiple breach notifications. So many businesses get hacked or reveal data through inattention that the details become a blur.

The potential threat posed by insiders is well known, even if employees, contractors, and partners don't represent the most significant threat vector. According to Verizon's 2016 Data Breach Investigations Report, 172 data breaches around the world last year were attributable to insiders and privilege misuse out of 2,260 breaches analyzed.

Privacy Rights Clearinghouse's database of data breaches suggests a relatively small percentage of breaches happened as a result of insiders: 13 out of 229 listed from 2015. Since the cause of many breaches is not publicly known, insider involvement could be greater.

Perhaps because so many attacks come from the outside, IT executives don't show much concern about the risk associated with third-party access to secure systems. Soha Systems, a provider of enterprise access management services, recently conducted an online survey of 219 IT professionals in the US, and found that only 2% of them saw third-party access as a top priority in terms of IT initiatives and budget allocation.

[See 7 Ways Cloud Computing Propels IT Security.]

That's not entirely surprising. As a police force isn't likely to see its own people as its most pressing concern, IT professionals can be expected to look outside their organization and partners before turning their attention inward.

But Soha suggests more attention should be directed inwardly because "third parties cause or are implicated in 63 percent of all data breaches." That figure comes from a 2013 Trustwave report: "The majority of Trustwave's investigations (63%) revealed that a third party responsible for system support, development and/or maintenance introduced the security deficiencies exploited by attackers."

History has proven that insiders and partners can present problems, as they did for CVSSamsungAmerican Express, and Experian.

Soha's findings perhaps overstate the disinterest of organizations in the security of the companies they work with. A BitSight Technologies Study, conducted by Forrester Consulting from March, 2015, found that third-party security represented a top business concern among enterprises.

Reconciling various vendor-backed studies to reflect the varying security situations faced by each different organization may not be a fruitful endeavor. Apples are not always compared to oranges, so to speak, and there's a lot of statistical cherry-picking. Try to think of an example of a vendor-backed study that doesn't justify the company's product and your thinking cap will run out of batteries. Then there's the issue of drawing conclusions from what people say in surveys rather than measuring what they actually do. Talk is cheap; implementing better security practices usually isn't.

But cost isn't a free pass to do nothing. Here's a look at why and some of the major findings of Soha's study. Let us know what you think. What measures does your organization take to stay safe from attacks from outsiders as well as insiders?

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 6
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Author
7/30/2016 | 3:05:50 PM
Re: On Another Note.....
Technorati, 

Yes. At the same time you wonder if it's not stating the obvious. If it would, we wouldn't be having these discussions, though. 

-Susan 
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Author
7/30/2016 | 12:56:04 PM
Re: On Another Note.....
Technorati, 

Prevention and education are two great tools everyone should consider in order to avoid security problems as much as possible. It's important to always be vigilant. In-house training is one option.

Another option is encouraging employees to attend security conferences to stay updated, listen to the experts, and have security always present. Everyone in the company needs to be involved. 

-Susan 

 
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Author
7/28/2016 | 9:39:52 AM
Re: On Another Note.....
Technorati, 

I don't think it's employees who don't take security measures seriously. It's more a lack of information about those security measures. This is why it's so important for enterprises to always have in-company training on security. how many times we have heard about employees who innocently have made a terrible mistake? Of course, there is also a percentage of people who are simply careless no matter what. 

-Susan 

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
6/5/2016 | 12:01:46 PM
Treat them all as insiders.
Protecting against insider threats is arguably even more important -- since most external attacks ultimately rely on gaining some form of insider access.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Slideshows
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Commentary
Preparing for the Upcoming Quantum Computing Revolution
John Edwards, Technology Journalist & Author,  6/3/2021
News
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll