Security Threats Hiding In Plain Sight - InformationWeek
IoT
IoT
IT Leadership // Security & Risk Strategy
News
6/3/2016
07:06 AM
Thomas Claburn
Thomas Claburn
Slideshows
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Security Threats Hiding In Plain Sight

IT professionals would rather manage external threats than worry about insiders, a recent survey by Soha finds. But singular focus when it comes to security can end up being a costly mistake.
Previous
1 of 6
Next

(Image: TBIT via Pixabay)

(Image: TBIT via Pixabay)

Data breaches have become so common that it's easy to overlook them. There were 781 known data breaches in 2015, according to the Identity Theft Resource Center, enough to read about mistakes being made twice a day if the media chose to write about every incident. Websites like haveibeenpwned.com list dozens of breaches affecting high-profile websites.

Almost anyone active online for a few years is likely to have received multiple breach notifications. So many businesses get hacked or reveal data through inattention that the details become a blur.

The potential threat posed by insiders is well known, even if employees, contractors, and partners don't represent the most significant threat vector. According to Verizon's 2016 Data Breach Investigations Report, 172 data breaches around the world last year were attributable to insiders and privilege misuse out of 2,260 breaches analyzed.

Privacy Rights Clearinghouse's database of data breaches suggests a relatively small percentage of breaches happened as a result of insiders: 13 out of 229 listed from 2015. Since the cause of many breaches is not publicly known, insider involvement could be greater.

Perhaps because so many attacks come from the outside, IT executives don't show much concern about the risk associated with third-party access to secure systems. Soha Systems, a provider of enterprise access management services, recently conducted an online survey of 219 IT professionals in the US, and found that only 2% of them saw third-party access as a top priority in terms of IT initiatives and budget allocation.

[See 7 Ways Cloud Computing Propels IT Security.]

That's not entirely surprising. As a police force isn't likely to see its own people as its most pressing concern, IT professionals can be expected to look outside their organization and partners before turning their attention inward.

But Soha suggests more attention should be directed inwardly because "third parties cause or are implicated in 63 percent of all data breaches." That figure comes from a 2013 Trustwave report: "The majority of Trustwave's investigations (63%) revealed that a third party responsible for system support, development and/or maintenance introduced the security deficiencies exploited by attackers."

History has proven that insiders and partners can present problems, as they did for CVSSamsungAmerican Express, and Experian.

Soha's findings perhaps overstate the disinterest of organizations in the security of the companies they work with. A BitSight Technologies Study, conducted by Forrester Consulting from March, 2015, found that third-party security represented a top business concern among enterprises.

Reconciling various vendor-backed studies to reflect the varying security situations faced by each different organization may not be a fruitful endeavor. Apples are not always compared to oranges, so to speak, and there's a lot of statistical cherry-picking. Try to think of an example of a vendor-backed study that doesn't justify the company's product and your thinking cap will run out of batteries. Then there's the issue of drawing conclusions from what people say in surveys rather than measuring what they actually do. Talk is cheap; implementing better security practices usually isn't.

But cost isn't a free pass to do nothing. Here's a look at why and some of the major findings of Soha's study. Let us know what you think. What measures does your organization take to stay safe from attacks from outsiders as well as insiders?

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 6
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Michelle
50%
50%
Michelle,
User Rank: Ninja
7/30/2016 | 5:11:28 PM
Re: Treat them all as insiders.
@Joe that's right! I often forget about insider threats, but they are a significant attack vector. Connected things will become more of a security threat as well (see community.hpe.com/t5/HPE-Business-Insights/The-biggest-security-threats-of-2016-How-CIOs-can-prepare/ba-p/6855393)
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Author
7/30/2016 | 3:05:50 PM
Re: On Another Note.....
Technorati, 

Yes. At the same time you wonder if it's not stating the obvious. If it would, we wouldn't be having these discussions, though. 

-Susan 
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
7/30/2016 | 1:55:51 PM
Re: On Another Note.....
@Susan   Agreed.  Companies need to be far more proactive regarding security, make it a integral part of their culture.   Something as simple as screensavers that state, "Security is serious business" or "Think first. Before you Click" would be a great way to keep security in the minds of employees.
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Author
7/30/2016 | 12:56:04 PM
Re: On Another Note.....
Technorati, 

Prevention and education are two great tools everyone should consider in order to avoid security problems as much as possible. It's important to always be vigilant. In-house training is one option.

Another option is encouraging employees to attend security conferences to stay updated, listen to the experts, and have security always present. Everyone in the company needs to be involved. 

-Susan 

 
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
7/29/2016 | 2:51:00 PM
Re: On Another Note.....

@Susan   I agree most employees do take security seriously, it is that percentage of careless people that should keep IT awake at night.  All it takes is one person to be careless and the network is compromised.

 

You and I know this but if you are dealing with people who "click the link first" and then wonder why their machine doesn't work like it use to - it is a big problem.  Locking down the network does not make people happy nor is it an effective solution due to smart phones and Cloud based access. 

Security Firms are reluctant to acknowledge this because of course it directly affects their position.

I like the in-house training, but it will have to be carried out at least bi-annually to keep security in the minds of employees.

Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Author
7/28/2016 | 9:39:52 AM
Re: On Another Note.....
Technorati, 

I don't think it's employees who don't take security measures seriously. It's more a lack of information about those security measures. This is why it's so important for enterprises to always have in-company training on security. how many times we have heard about employees who innocently have made a terrible mistake? Of course, there is also a percentage of people who are simply careless no matter what. 

-Susan 

 
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
7/27/2016 | 7:54:18 PM
Re: On Another Note.....

@vnewman   You make excellent points and I agree you should vet potential vendors regarding their cyber readiness but as you point out, they will never admit they are not up to standard.  If companies were to demand this then the number of third party vendors they actually did business with would decrease dramatically.

Not necessarily a bad thing unless you are one of the companies that didn't make the grade.  And I suppose we would be very surprised by the companies that come up short.

 Those that can meet the standards will probably pass the cost of this on to the consumer.  And even then there are no guarantees - it might even be analogous to "double taxation" for the consumer. 

They will pay for security and then pay for the ensuing breech.    This is a really difficult issue that probably cannot be solved by free market principles.

vnewman2
100%
0%
vnewman2,
User Rank: Ninja
7/27/2016 | 6:06:58 PM
Re: On Another Note.....
Let's talk about third-party vendors (with the Target example in mind).  Vendors should be interrogated about cyber risk before giving them the proverbial keys to the castle. Vendors possess significant understanding ofthe risks presented by the use of new software, network configurations, cloud computing and the like but understandably are not prone to publicize what could be perceived as defects in their service offerings.

Software vendors, in particular, are often in the best position to answer questions about their product vulnerabilities but they are also often reluctant to do so in order to avoid embarrassment and other negative consequences.
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
7/27/2016 | 1:24:37 PM
Re: On Another Note.....

I see.  Third Parties are those within the business cycle.  Well, this is a major problem because not all businesses have the resources or the insight to provide the kind of security measures necessary in today's world. 

Use your Amex at a local store, you now entrust them to have secure systems ?  

Who remembers the Target  breech ?

 

Michelle's comment about using cash is sounding better and better by the minute.

Technocrati
50%
50%
Technocrati,
User Rank: Ninja
7/27/2016 | 1:18:39 PM
Re: On Another Note.....

Third parties are mentions as threats.  What does this mean ?   Is this a reference to employees that don't take security measures seriously ?  

Because this happens constantly.

Page 1 / 2   >   >>
News
6 Tech Trends for the Enterprise in 2019
Calvin Hennick, Technology Writer,  11/16/2018
Commentary
Tech Vendors to Watch in 2019
Susan Fogarty, Editor in Chief,  11/13/2018
Commentary
How Automation Empowers the CIO to Think Outside the IT Department
Guest Commentary, Guest Commentary,  11/20/2018
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Enterprise Software Options: Legacy vs. Cloud
InformationWeek's December Trend Report helps IT leaders rethink their enterprise software systems and consider whether cloud-based options like SaaS may better serve their needs.
Slideshows
Flash Poll