Insiders Remain Greatest Security Threat - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

05:08 PM
Connect Directly

Insiders Remain Greatest Security Threat

Workers and other insiders admit to risky behavior -- such as accessing corporate e-mail from Wi-Fi hotspots -- in a survey by security firm RSA.

The people inside an organization represent its greatest security risk.

That's according to a report (pdf) released on Monday by RSA, the security division of enterprise storage company EMC.

RSA said that the survey was fielded in November and consisted of 126 person-on-the-street interviews (using questionnaires) of government and corporate office workers in Boston and Washington, D.C.

"The findings of the survey underscore that the threat posed to data by well-meaning insiders -- employees, contractors, suppliers, partners, visitors, and consultants who have physical and/or logical access to organizational assets -- greatly broadens that posed by malicious insiders who deliberately leak sensitive data for personal financial gain or other criminal purposes," the report states.

The recent 2007 SANS Top 20, a list of the year's most significant security risks, also noted that computer users tended to be the weakest link in the computer security chain.

What sort of risky behavior are office workers engaging in? Some 52% said they sometimes or frequently accessed work-related e-mail via a public computer, such as a might be found at a Internet cafe, hotel, or airport. And 56% sometimes or frequently accessed work-related e-mail through a wireless hotspot.

Asked, "Have you ever lost a laptop, smartphone, and/or USB flash drive with corporate information on it?", 8% said they had.

And 63% of respondents indicated that they sometimes or frequently send corporate documents to a personal e-mail address in order to work on them at home.

While the RSA report suggests that additional security technology can mitigate these risks -- RSA is in the business of selling such things, after all -- it also acknowledges that the blame for users' disregarding security policies belongs in part with the creators of those policies.

"Organizations can mitigate this risk by developing information-centric policies that acknowledge and align with the needs and realities of the business," the report says. "Once such policies are in place, companies should constantly measure actual user behavior against established policy and use what they learn to inform smart policy changes that minimize risk and maximize business productivity. When security is as convenient as possible for end users, they are less likely to work around security policy."

And the fact is that for many workers, corporate security policies are either not convenient or are poorly understood. About 35% of respondents said that they felt they needed to work around corporate security policies to get their jobs done.

Sam Curry, VP of product management at RSA, said that the survey respondents were "innocent people working hard to do their jobs" and risks arising from their willful or accidental contravention of corporate policy weren't the product of malice. "Security procedures need to be in touch with the realities of human behavior," he said.

Curry stressed the need for user education, to make workers aware of the consequences of their actions. And he also said that organizations needed tools to monitor employee behavior to understand the gaps between policy and worker behavior. Said Curry, "Organizations need visibility into how people actually behave."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll