In a recent survey of international corporate executives, insider threats were their No. 1 security concern. Does data justify this level of concern? Should the top priority (and subsequent resources) of enterprise infosec teams be to curb insider security threats?
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
The perceived risk posed by insider threats has increased dramatically in the wake of Edward Snowden and leaks around the National Security Administration's PRISM program. Even before the Snowden leaks though, many executives were already under the misconception that insiders can do more damage than attackers outside of the firewall. This perception has been reinforced over time by incidents such as the sensationalized media attention given to Julian Assange and his Wikileaks organization. Still, as publically damaging as these leaks may have been, the data regarding insider security threats does not back up this perception of risk.
For example, the 2013 Verizon Data Breach Investigation Report stated that only 14% of reported data breaches involved insiders, and over 70% of those insider data breaches occurred within 30 days of the employee announcing their resignation. To contrast those numbers, 86% of the data breaches in the Verizon report came from external sources, while only 7% came from business partners. Based on this information, infosec teams that assign the majority of their resources to mitigate insider threats may be making a big mistake.
An enterprise's information security strategy should be based on solid risk management programs that consider multiple potential risk factors, not exaggerated media reports. The key is to focus on the importance of the data itself and building protections based on all potential risks -- not just insider threats. Executives are usually receptive to the familiar risk management approach as it is used in other types of business risk decisions. This approach will help infosec teams prioritize limited resources more effectively, while also providing a more complete picture of information security risks to executives.
This was first published in October 2013