Threat from Within: Managing Insider Data Security Risks
FindLawBy Eric Sinrod
The Ponemon Institute hits just keep on coming! Another report provided first to this columnist exposes troubling data security facts, including that notwithstanding all the news reports about breaches, 78% of US IT professionals claim that their companies have suffered unreported insider-related security breaches. Thus, we truly do not know the full extent of the ongoing data security problem.
The Ponemon report, titled "National Survey On Managing The Insider Threat," sponsored by ArcSight, defines an "insider threat" as the "misuse or destruction of sensitive or confidential information, as well as IT equipment that houses this data, by employees, contractors, and others." Insider threats are stated to occur due to "human error such as mistakes, negligence, reckless behavior and sometimes even corporate sabotage." The report seeks to ascertain the root causes of insider threats and strives to find answers as to how IT professional can respond to such IT and business risks.
This Ponemon report is a follow-on to an October, 2005 study titled "What A Data Breach Costs A Company," in which it was determined that an organization's direct and indirect costs of responding to a data breach is $138.39 per data subject. While an organization could expect to spend on average $3.4 million annually to grapple with insider security breaches, the majority were investing less than $1 million for preventative measures.
So, what's new, as we fast-forward to the latter part of 2006? Well, as mentioned, the new report documents that insider security breaches are going unreported, and one is left with the feeling that corporate America is not taking this seriously. The new report drills down a bit to make that point.
According to the new report, "lack of resources and leadership makes it difficult to address the insider threat." Indeed, 93% of US IT respondents state their belief that the foremost barrier to handling this risk is lack of sufficient resources. Meanwhile, 80% place also place the blame on lack of leadership. On top of this, 31% further report that another cause is the fact that no one person within an organization has overall responsibility for managing insider security threats. Feeling better yet?
Perhaps lack of funding and leadership emanates from CEOs not taking the threat of insider data breaches seriously - 49% of respondents believe that CEOs are of this mindset. This is in stark contrast to the view of 89% of US IT respondents that such threats should be taken seriously.
Given the current state of affairs, not surprisingly, US IT respondents devote a considerable amount of their time seeking to prevent or control insider threats. Fully 10% spend more than half of their time on this threat, while approximately 55% devote more than 30% on insider threat related work.
The new Ponemon report helps document the greatest insider threats. US IT respondents responded in the following percentages when asked about what constitutes the greatest risk (each respondent was allowed two choices): careless employees (34%); negligent employees (32%); temporary employees (29%); disgruntled employees (21%); terminated employees (19%); partners (16%); privileged users (12%); and system administrators (11%).
Thus, rather than the impression we may have that terminated and disgruntled employees represent the greatest risk, it appears that simple carelessness and negligence is the biggest root of the insider security problem. Indeed, 61% respondents affirm that accidental data leaks occur "frequently" or "very frequently" because employees lack sufficient knowledge about preventative measures, and 66% also state that this is the case because of employee carelessness. Hello? Wake Up!
The top ranked IT security risks, according to the respondents, are missed or failed security patches on critical applications, insider threats (the subject of this column), and virus, malware or spyware infections. Thus, insider threats truly are of great concern to IT people in the know.
The highest ranked manual controls that respondents believe can mitigate insider threats are: supervision and management, training and awareness activities, and independent audits. Technologies that respondents believe can reduce insider threats are identity and access management solutions and encryption. For managing insider threats, respondents recommend content filtering and data leak and detection and prevention solutions.
So, corporate America, are you ready to follow the lead spelled out by your IT professionals? Let's hope so, for your own sake.
Eric Sinrod is a partner in the San Francisco office of Duane Morris LLP (http://www.duanemorris.com) where he focuses on litigation matters of various types, including information technology and intellectual property disputes. His Web site is http://www.sinrodlaw.com and he can be reached at ejsinrod@duanemorris.com.
To receive a weekly email link to Mr. Sinrod’s columns, please send an email to him with Subscribe in the Subject line.
This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author’s law firm or its individual partners.
Networking and Storage
© 2006 FindLaw
