Results from a new survey suggest IT professionals must be constantly vigilant in watching for employee reprisals against company systems, thanks to the uncertain economy and, in some cases, multiple rounds of layoffs.
The 12th annual Ernst & Young Global Information Security Survey of nearly 1,900 senior executives found that 75% of respondents were concerned with the possibility of reprisal from employees who have left their organizations. While many of those surveyed were concerned about malicious former employees, far fewer were doing anything about it. Less than half (42%) were weighing the risks and only 26% were taking steps to address insider threats.
The report, issued Tuesday, is the result of a survey conducted among senior IT professionals between June and August 2009. Ernst & Young conducted field interviews with executives in 60 countries. The report supports earlier industry surveys warning how the sluggish economy could result in increased threats, reduced budgets and delays on IT security projects at many enterprises.
Senior IT executives indicated they were under pressure to cut costs, relied on current security systems and struggled to attract and maintain skilled and trained information security talent. They said finding adequate budget for security initiatives will be a major challenge for the coming year.
Security technologies fail to address insider threat management: Detecting troubled employees before their activities lead to a data security breach could help mitigate the risk of insider threats.
\Insider Threat Management Guide: In this Insider Threat Management Guide, contributor Gideon Rasmussen reviews how to fortify your organization's current insider threat controls and keep internal dangers to a minimum.
Societe Generale: A cautionary tale of insider threats: The $7.2 billion in fraud against French banking giant Societe Generale wasn't your garden variety cyber attack, but it illustrates an insider threat that gives IT pros nightmares.
"These are clear indicators that information security is not immune to external economic forces and must find ways to improve efficiency and effectiveness while keeping spending to a minimum," according to the report.
The result is a renewed focus on understanding potential threats and addressing them over time with a minimal investment in technology. Fifty percent of survey respondents indicated that they planned to spend more on security risk management, and 39% planned to spend relatively the same amount on this initiative over the next year. Meanwhile, regulatory compliance is taking a back seat, with 60% indicating spending would remain the same.
For those spending on new technologies, data leakage prevention (DLP) software and appliances seem to be the top choice. About 90% of those surveyed said they would spend either the same or more on DLP related technologies. DLP also ranked as the second-highest priority of organizations during the next 12 months, behind regulatory compliance activities. DLP focuses on employee behavior as it relates to data changes and movement in the environment. Companies can use the technology to detect policy violations by monitoring traffic. Some firms have found it to be an effective way to enforce security policies and user awareness programs.
Despite an increase in virtualization technology deployments as a result of the cost savings associated with pooling resources, senior IT executives didn't see it as a major security concern, according to the survey. Seventy-eight percent of respondents indicated they implemented virtualization, but only 19% said virtualization was a security priority.
"Clearly, our survey respondents do not recognize the same level of risk with virtualization as would be expected with such a significant and extensive change effort," the report stated. "More alarming is the fact that virtualization security should be a concern, but the majority of organizations and security leaders are ignoring its implications."
One recent survey by Nemertes Research indicated that companies are avoiding spending on virtualization security technologies until the market matures.
The survey also found senior IT executives perceived an increase in external and internal threats. Forty-one percent of respondents noted an increase in external attacks and 25% of respondents said they witnessed an increase in internal attacks. The concerns ranged from phishing and website attacks to employee privilege abuse and theft of proprietary data.
A number of security studies have documented a rise in Web-based attacks, fueled by an increase in employee use of social networks, blogs and Web applications. Others have documented the need for a greater emphasis on maintaining updated patches on employee productivity tools such as PDF viewers, media players and browser components, which include Flash and Java-based tools.
Compliance remained the top priority of enterprises. When asked about the importance of specific security activities, 46% of respondents indicated that complying with regulations was very important, with an additional 31% considering it important.
The report also found that compliance costs continue to rise; 55% of those surveyed indicated moderate to significant increases in compliance-related costs as part of overall security costs.
"This may be an indication that organizations are spending too much of their security budgets on demonstrating point-in-time compliance as opposed to implementing a comprehensive information security program where compliance is a by-product and not the primary driver," the report stated.