RSA: CXOs Rank Warding Off Intentional Insider Threats Highest in Priority
August 2009 by RSA, La Division Sécurité d’EMC
Accidental security incidents by company insiders happen more frequently and has the potential for greater negative impact than malicious insider attacks according to new IDC findings announced by research sponsor RSA, The Security Division of EMC. The IDC White Paper also shows a misalignment of security concerns by a majority of CXOs who give higher priority to protecting against malicious insider attacks over investing to prevent more frequent and potentially more damaging accidental insider security incidents.
The just-released IDC White Paper, “Insider Risk Management: A Framework Approach to Internal Security,” sponsored by RSA addresses insider risk – the potential threat that an organization is exposed to by internal users who have access to critical systems and confidential information. While aware that users create information security risks within their organizations, external threats often overshadow the importance of protecting against internal risks. The new research uncovers a misalignment of CXO security concerns with the greater number of internal breaches and the threat posed to a business’ bottom line by accidental security breaches, inappropriate access and misuse of information by its employee base.
Among the global IT decision makers that responded to the survey, the majority indicated they were unclear on the sources and intentions of internal risk and struggle to quantify the potential financial consequences and workflow impact. Of the organizations surveyed, 52 percent characterized their insider threat incidents as predominately accidental, only 19 percent believed the threats were deliberate, and the remaining 26 percent believed they were an equal combination while 3 percent were unsure. However, when asked to rank their top threats almost 82 percent of CXOs were unsure if incidents from contractors and temporary staff were accidental or deliberate.
“Employers view their relationship with employees as one of trust and recognize their people are their biggest asset,” said, Chris Christiansen, Program VP, Security Products of IDC. “But, the vast nature of an organization’s infrastructure, coupled with a dispersed, often global employee base, and complex internal user mix of employees, consultants, partners and outsourcers make addressing the risks posed by its internal users the biggest security challenge that CXO’s currently face: whether the risk is intentional or not, it’s there. It’s real.”
Other insightful results from the white paper highlight the number of insider security incidents from within an organization. In the previous 12 months, 400 respondents admitted to 6,244 incidents of unintentional data loss, 5,830 Malware / Spyware attacks from within the enterprise, and 5,794 incidents of risks created by excessive privilege and access control rights. In total, the number of internal security incidents from the respondents came out at 57,485 in the previous 12 months. The survey results show that almost 40 percent of organizations plan to increase spending on initiatives to reduce internal security risks over the next 12 months and as few as six percent will decrease spending. These results indicate there is not a single solution to best address internal security risks but rather a need to take a comprehensive risk management approach to better understand the organizations’ risk profile and where to best put controls in place.
“Security is everyone’s job, not just the job of the security team,” said, Christopher Young, Senior Vice President of RSA Products, “Internal risks are growing and to remain competitive, CXOs must change the way they defend their business and expand security priorities to address the heightened need for protection from risk both intentional and accidental from an insider. CXO’s must adopt a holistic strategy to mitigating insider threat that focuses on protecting critical information from misuse, leakage and loss by internal users, whether accidental or deliberate. ”
Although the increased sophistication of data breaches by determined fraudsters are prevalent, this new data highlights that unintentional data loss and information security controls affects the operational integrity of an organization to a greater degree than intentional, malicious attacks.
Nicki Wallace, Global Marketing Manager, Industry Solutions, RSA
Key research findings include:
• Unintentional vs. Deliberate Risk: Malicious insider threats, such as unauthorized access to confidential data and the spread of malware and spyware from within the enterprise ranked highest among CXO security concerns. However, the insider security threatsthat caused the largest number of instances (unintentional data loss through employee negligence) and greatest financial impact (out-of-date or excessive privileges and access control rights for users) were accidental.
• Source of Threat: In the last year, the greatest source of insider threat came from contractors and temporary employees.
• Financial Loss: The average annual financial loss from insider risk was nearly $800,000 in the IT Outsourcing industry.
• Decision-maker Uncertainty: While 93 percent of respondents were responsible for security decisions within their organizations, nearly 82 percent were unclear on the source of their company’s insider risk and could not accurately pinpoint or quantify the nature of the financial impact.
The IDC White Paper sponsored by RSA, “Insider Risk Management.