External attacks start with unintentional mistakes, survey finds

By Robert Westervelt, News Editor 25 Aug 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The four walls around a company's data servers are continuing to erode as end users are finding it increasingly easier to use Web-based tools and bring their work home and on the road. The latest survey finds that companies are more concerned than ever about unintentional employee errors that can lead to data leakage.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The IDC survey, which is of 400 high-level managers in the United States, the United Kingdom, France and Germany, was sponsored by EMC's RSA security division. It found that 52% characterized their incidents arising from insider threats as predominantly accidental. The problem is on the rise as a result of companies using contractors and third-party partners to do business.

"Companies are finding more than ever before that they really need to have good access policies and the right level of controls associated with those policies," said Chris Young, senior vice president of products at RSA. "Organizations often try to start out with a model of trust between permanent and temporary employees, but they also have to balance that trust with controls."

Young said often unintentional employee errors aid external attackers. An employee who fails to update a Web-based tool could leave a gaping hole for an attacker to deploy malware and find a way into sensitive systems.

Security experts believe that insider threat management is the single biggest issue not adequately addressed by enterprises. Brian Sears, director of information systems at Seattle-based accounting firm Benson & McLaughlin, said the human factor is being ignored even as statistics indicate that most breaches occur at the hands of a current or former employee.

Security technologies fail to address insider threat management: Enterprises need to address insider threat management: Detecting troubled employees before their activities lead to a data security breach could help mitigate the risk of insider threats.  Data breach avoidance begins with security basics, panel says Investing millions in new security technology will not prevent a data breach if employees aren't educated and security policy goes unchecked, say experts.

"In every case companies need to start with well-developed policies that are embraced by senior management then adopted as part of company culture," Sears said. "They need to train employees to understand what's in the policy and the company's expectations."

Many experts agree with Sears' analysis. A recent panel of experts, discussing the latest spate of high-profile data breaches, called on organizations to think about security basics to mitigate the risk of data loss.

"The weakest link in the chain is and always has been the people," said Bob Russo, general manager of the Payment Card Industry Security Standards Council.

Despite insider mistakes being a major threat to the business, it's unclear if security budgets will reflect an investment in technology to address insider threats. About 60% said they expect budgets to remain the same or decrease over the next 12 months. The same percentage said they typically don't allocate funding based on internal or external threats.

"If you take a step back you'll see that a lot of organizations are still trying to fight security battles the way they've traditionally been doing it," Young said. "They're not paying attention to making sure information in the organization isn't being misused."

Over the past 12 months, surveyed organizations experienced 6,244 incidents of unintentional data loss through employee negligence. Contractors and temporary staff represented the greatest risk. Nearly 40% of survey respondents in the healthcare industry indicated contractors and temporary staff represented the greatest risk for data loss.

Young said security training for contractors is limited and company security policy is not always clearly communicated to temporary workers. Education of company security policy and basic security training goes a long way to reduce risks.

"It's a breakdown in communication and training," Young said. "Any industry using more contractors and more temporary employees is likely to have higher incidents."

SearchSecurity radio:

Companies should also consider an annual review of information in the security policy. Changes made should be thoroughly documented for auditors. Security policy changes should reflect business changes as well as any new issues identified as threats to the business.

For example, contractors are not necessarily making malicious mistakes. According to IDC, contractors often create multiple accounts that expire at different times, so they can start work immediately the next time they get a contract.

"The survey shows that while there's a lot of risk around contractors, the controls we put in place and the level of attention paid to access policy is not consistent with the level of risk that group of employees represents," Young said.

Tags: Security Awareness Training and Internal Threats,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Awareness Training and Internal Threats Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering Security technologies fail to address insider threat management Data breach avoidance begins with security basics, panel says Monitoring program data and internal controls for risk management Identity Theft and Data Security Breaches Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) Honeynet Project  (SearchSecurity.com) insider threat  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) social engineering  (SearchSecurity.com) Total Information Awareness  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary