There's no shortage of mainstream media coverage every time a company or government agency exposes sensitive data that it's supposed to be protecting.
But there's not much focus on the varied nature of these exposures, and whether that makes a difference to the actions needed to plug these security holes.
To better understand the causes of insider risk and the challenges of managing it, RSA commissioned an IDC survey of some 400 senior IT decision-makers (CIOs, heads of IT, CSOs, CISOs drawn roughly equally from the UK, US, France and Germany).
The scale of the problem
The findings, published in a paper Insider Risk Management: A Framework Approach to Internal Security, vividly illustrate the scope of the risk that insiders pose to enterprise systems and information; especially sensitive information such as customer data, intellectual property, development plans, financials and so on.
The 400+ respondents admitted to a total of more than 57,000 internal security incidents in the previous 12 months, covering a range of accidental causes (e.g. loss of media, system vulnerabilities, shortcuts around security policies) and deliberate ones (eg unauthorised access, attacks by previous employees, internal fraud).
That's more than 140 incidents per company per year, or about a dozen internal incidents every month. Only 19% of respondents believe that these are predominantly deliberate. A breakdown by cause of incident shows that the single biggest cause is, in fact, unintentional data loss through employee negligence.
The complexity of the problem
Even when an attack is deliberate, the vulnerability exploited by the attacker might stem from unintentional negligence or a failure of policy.
For example, most organisations recognise the importance of cancelling the accounts of employees who have left the company, but in practice, IDC estimates that as many as 60% of active accounts on most systems shouldn’t be. This unintentional failure leaves the door open to deliberate attack by those who don't have a relationship with the organisation any more. It's also a significant contributor to failed audits.
This kind of problem has become particularly acute as the boundaries of organisations have grown more fluid. Integrated supply chains, outsourcing, the rise of contracting and project-based work models all mean that more people than ever have some level of privileged access to some of your systems.
Partners, contractors and temporary staff are insiders too, but they're generally less familiar with security policies than permanent employees and are more transient. Yet they often have the same privileges and access rights as full-time permanent staff. Unsurprisingly, the IDC survey showed that contractors and temporary staff are generally seen as representing the greatest insider risk, although in some industries technical staff, with their greater knowledge and access, are more of a worry.
Addressing the problem
Despite the hundreds of thousands of dollars that the typical IDC respondent admitted to losing from insider incidents each year, and the fact that most are actively investing to combat the problem, only 43% have a specific budget allocated to internal security risks.
It's almost as if organisations don't want to come right out and name the problem, possibly because they believe that security breaches are an inevitable by-product of the need to trust employees to access to the systems and information that let them do their jobs effectively.
The IDC paper recommends a framework approach to address the complexities of the insider risk landscape. No single solution or ad-hoc collection of point solutions will do; organisations should be using encryption, information classification and discovery, identity management and assurance, data loss prevention, security and event management and other techniques—all as part of an integrated approach to a continually growing problem.
Reference: Burke, B and Christiansen, C, Insider Risk Management: A Framework Approach to Internal Security, August 2009