The four walls around a company's data servers are continuing to erode as end users are finding it increasingly easier to use Web-based tools and bring their work home and on the road. The latest survey finds that companies are more concerned than ever about unintentional employee errors that can lead to data leakage.
The IDC survey, which is of 400 high-level managers in the United States, the United Kingdom, France and Germany, was sponsored by EMC's RSA security division. It found that 52% characterized their incidents arising from insider threats as predominantly accidental. The problem is on the rise as a result of companies using contractors and third-party partners to do business.
"Companies are finding more than ever before that they really need to have good access policies and the right level of controls associated with those policies," said Chris Young, senior vice president of products at RSA. "Organizations often try to start out with a model of trust between permanent and temporary employees, but they also have to balance that trust with controls."
Young said often unintentional employee errors aid external attackers. An employee who fails to update a Web-based tool could leave a gaping hole for an attacker to deploy malware and find a way into sensitive systems.
Security experts believe that insider threat management is the single biggest issue not adequately addressed by enterprises. Brian Sears, director of information systems at Seattle-based accounting firm Benson & McLaughlin, said the human factor is being ignored even as statistics indicate that most breaches occur at the hands of a current or former employee.
Security technologies fail to address insider threat management:
Data breach avoidance begins with security basics, panel says Investing millions in new security technology will not prevent a data breach if employees aren't educated and security policy goes unchecked, say experts.
"In every case companies need to start with well-developed policies that are embraced by senior management then adopted as part of company culture," Sears said. "They need to train employees to understand what's in the policy and the company's expectations."
Many experts agree with Sears' analysis. A recent panel of experts, discussing the latest spate of high-profile data breaches, called on organizations to think about security basics to mitigate the risk of data loss.
"The weakest link in the chain is and always has been the people," said Bob Russo, general manager of the Payment Card Industry Security Standards Council.
Despite insider mistakes being a major threat to the business, it's unclear if security budgets will reflect an investment in technology to address insider threats. About 60% said they expect budgets to remain the same or decrease over the next 12 months. The same percentage said they typically don't allocate funding based on internal or external threats.
"If you take a step back you'll see that a lot of organizations are still trying to fight security battles the way they've traditionally been doing it," Young said. "They're not paying attention to making sure information in the organization isn't being misused."
Over the past 12 months, surveyed organizations experienced 6,244 incidents of unintentional data loss through employee negligence. Contractors and temporary staff represented the greatest risk. Nearly 40% of survey respondents in the healthcare industry indicated contractors and temporary staff represented the greatest risk for data loss.
Young said security training for contractors is limited and company security policy is not always clearly communicated to temporary workers. Education of company security policy and basic security training goes a long way to reduce risks.
"It's a breakdown in communication and training," Young said. "Any industry using more contractors and more temporary employees is likely to have higher incidents."
Companies should also consider an annual review of information in the security policy. Changes made should be thoroughly documented for auditors. Security policy changes should reflect business changes as well as any new issues identified as threats to the business.
For example, contractors are not necessarily making malicious mistakes. According to IDC, contractors often create multiple accounts that expire at different times, so they can start work immediately the next time they get a contract.
"The survey shows that while there's a lot of risk around contractors, the controls we put in place and the level of attention paid to access policy is not consistent with the level of risk that group of employees represents," Young said.