"Accidental" security incidents by company insiders happen more frequently and have the potential for greater negative impact than "malicious" insider acts, according to a whitepaper from research house IDC. It also found a misalignment of security concerns by the majority of executives, who prioritised protecting against the latter rather than the former.
It was noted that no single technology will be able to protect against the actions of insiders, which is in itself a large group that includes consultants, outsourcing partners, contractors and business partners alongside employees and executives. IDC argues that "a comprehensive risk management framework is the only way to effectively manage operational risk, secure competitive advantage, reduce vulnerabilities, manage misconfigurations, reduce the growing number of regulatory compliance violations, and control high-profile incidents of information leaks".
Having polled 400 companies across France, Germany, the UK and the US, IDC said that 52% characterised incidents arising from insider threats as primarily accidental, compared with 19% who believed that incidents were primarily deliberate; 26% believed there were an equal combination. But whether accidental or deliberate, the costs remain the same: the disclosure of sensitive information can result in regulatory actions, failed audits, litigation, public ridicule and competitive disadvantage. Sensitive information at risk includes customer and employee information, design plans, source code and other intellectual property.
The survey found that during the previous twelve months, organisations experienced an average of 14.4 incidents of unintentional data loss through employee negligence, with contractors and temporary staff representing the greatest risk. It was noted that due to the recession, many businesses are increasing the use of temporary or contract staff, creating a burden for IT staff who need to manage access rights, monitor activities, and de-provision non-active accounts, while still protecting sensitive information and complying with privacy regulations.
The most common types of incidents included unintentional data loss through employee negligence; malware/spyware attacks from within the enterprise; excessive privilege/access control rights; and deliberate information security policy violations. Data loss through negligence was most common in the financial, public and healthcare sector, while malware/spyware incidents were most prevalent in the telecoms industry.
Some 43% of organisations have a specific budget allocated for internal security risks, with almost 40% planning to increase their spend during the coming year.
The IDC survey was sponsored by business security company RSA.
Improved communication leads to improved risk
Separately, enterprise data security company Proofpoint noted that US companies are "increasingly concerned about a growing number of data leaks caused by employee misuse of email, blogs, social networks, multimedia channels and even text messages".
Perhaps at the most extreme level, it was found that 33% of the 220 surveyed businesses employed someone whose "primary or exclusive" job is to monitor the content of outbound email, compared with 15% in 2008. Some 34% of respondents said that their businesses have been impacted by the exposure of sensitive or embarrassing information, up from 23% in 2008.
Email poses the number one threat, with 43% of companies having investigated an email-based leak of confidential or proprietary information in the last twelve months. 18% had investigated an issue including a blog or message board violation (with 9% having fired an employee for such an act). There was also an increase in threats from multimedia sharing sites such as YouTube, social networking sites including Facebook and LinkedIn, and mobile channels including SMS and Twitter.
Website TelecomTV noted that for European businesses, where different legislation applies to employees than in the US, a "clear and unequivocal" email and internet usage policy is essential, to avoid claims of unfair dismissal.
Proofpoint's report can be downloaded here.