New Developments

Insiders Top List of IT Threats

Information assurance solutions provider SecureInfo Corp. and security vendors RSA and GFI Software recently released three separate studies on the state of information security (IS) activities in the private and government sectors. Although each study targeted a different audience, they all arrived at the same conclusion: The majority of IT breaches and threats are due to insider violations of security policies.

In the SecureInfo study, Information Security Awareness Report: The Government Worker's Perspective (PDF, 312 KB), 100 U.S. government employees and full-time government contractors answered a series of questions regarding IS awareness and training. According to the results, 80 percent of government workers believe that there are significant threats to government information systems. This is due to the fact that only 20 percent of government workers believe their co-workers follow IS policies and procedures 100 percent of the time.

What's more, only 36 percent of government workers are held accountable for knowing IS policies and procedures via their annual performance evaluation, while less than 50 percent were tested throughout the year on what they learned in awareness training. And although the majority — 97 percent — are required to take IS training, only one-third of those attending the training remembered most of the material covered and 28 percent remembered less than 75 percent of the material.

As the results indicate, "there seems to be a significant lack of understanding by the government worker that each individual plays a critical role in protecting information assets and contributes to an agency's information security posture," explains the survey. "There needs to be a greater sense of urgency on the part of the federal government and from each government worker to directly address this vulnerability. Implementing awareness training is not enough."

Similarly, the RSA study, The Confessions Survey: Office Workers Reveal Everyday Behavior That Places Sensitive Information at Risk (PDF, 651 KB), found that insiders (i.e., employees, contractors, partners, and consultants) pose the greatest threats to sensitive information. The person-on-the-street survey of IT, operations, human resources, finance, sales, marketing, customer service, and legal workers in the U.S. government and private sectors also found that these insiders unwittingly initiate data exposures through everyday behavior that is careless, bypasses established security protocols, or follows inadequate security policies.

For instance, while most survey participants — nearly 90 percent — conduct business remotely over a virtual private network or by using webmail, more than 50 percent access their work e-mail via a public computer (e.g., a computer at an Internet café, airport kiosk, or hotel) or via a public wireless hotspot (e.g., a wireless Internet connection at a coffee shop, airport, or hotel). In addition, more than 60 percent leave their place of employment carrying a mobile device, such as a laptop, smartphone, or USB flash drive, which holds sensitive information related to their job or send work documents to their personal e-mail address so they can access them at home, clearly violating company security policies.

"The results of the survey underscore that the risk posed to data by well-meaning insiders . . . must be as closely managed as that posed by malicious insiders who deliberately leak sensitive data for personal financial gain or other criminal purposes," the survey says. This is because although these "trusted insiders" mean no harm as they work around security policies, sensitive data can still be exposed, thus subjecting the organization and possibly consumers to unnecessary risk, explains the report. To prevent data exposures, RSA recommends developing information-centric policies that acknowledge and align with the needs and realities of the business, in addition to measuring actual user behavior against established policy in an ongoing basis, and using what they learn to implement smart policy changes that minimize risk and maximize business productivity.

Finally, the GFI Software-commissioned survey of 455 small and mid-sized businesses (SMBs), Security Survey in the United States (PDF, 379 KB), found that threats to information systems are also the result of employee misbehavior, albeit unintentional. "Computer users can be considered as the least predictable and controlled security vulnerability," says Andre Muscat, director of engineering at GFI Software. "In the majority of cases, a lack of education and an understanding of basic security principles and procedures are the main causes of security breaches, rather than malicious activity — although the latter can never be ignored."

According to the GFI survey, 32 percent of SMBs experienced some sort of security breach in 2007 as the result of employee negligence, and these events are changing the sector's viewpoint on security tools and products. Similar to the SecureInfo study, 42 percent of respondents in the GFI study stated that their networks are not secure and open to threats, even though 96 percent of them have deployed antivirus software, 93 percent are currently using firewalls, and 80 percent use spam filters.

"This may indicate that [SMBs] are starting to doubt the effectiveness of traditional perimeter security products in protecting them from other security threats, including data leakage and network breaches," the survey reports.

Furthermore, the results indicate a shift in SMBs' comfort level with IT security due to their own breach experiences. For instance, nearly 70 percent of respondents indicated that their systems have been infected by a virus in the past year, 30 percent said that they have downloaded infected Internet files, and 24 percent have lost hardware containing company information. To counteract these problems, 31 percent of respondents plan to invest in network monitoring tools, followed by e-mail management tools (29 percent) and network scanning and antivirus applications (26 percent).

For more information on each of these studies, visit the SecureInfo, RSA, and GFI Software Web sites.

Site Search: