Organisations still not prepared to address the 'enemy within'

Security threats from insiders are “exploding”, but businesses are not ready to accept it.

Speaking to IT Security Guru, Clearswift senior vice president of products Guy Bunker said that in a sense, “everything is getting worse” as from the perspective of the organisation, the coupling of technologies with the open network are responsible for two-third of the threats within the extended enterprise.

Looking back at its 2013 research on the “enemy within”, Bunker admitted that there had been a large jump in the perceived threat, and this was due to the fact that people were bringing the threat in, but this had been matched with an increase in awareness.

“It is not just losing data, it is about reputation as most businesses can survive a targeted attack better than they can reputation damage,” he said. “The Sony breach showed that this can occur without going after IP and it proved it was about cyber crime and a dodgy film, but it is all value to someone.”

The research of 500 IT decision makers by Clearswift found that 88 per cent had experienced an IT or data security incident in the last 12 months, with 73 per cent of those coming from the extended enterprise (employees, ex-employees, third parties).

Bunker said that it was seeing an increase in the number of companies who are increasing awareness programs as they become more important, as well as awareness of who to go to. “Organisations don’t understand when information goes outside, but they are more au fait on where it is inside the organisation,” he said.

“You don’t want to brand all employees to be an ‘enemy within’, but without an education policy you can get to a trust issue. It is about protecting information and interests of the company.”

The survey found that only 14 per cent of respondents believe that until their organisation has a serious internal data breach, it will never be taken as seriously as the threat of external hackers, while 72 per cent of companies believe internal security threats are still not treated with the same level of importance as external threats by the board.

Bunker said that the 14 per cent statistic showed that there is a problem with employees who businesses want to trust. The majority of internal incidents happen by mistake than by being malicious, but it doesn’t matter if it malicious or not, the data is still out.

Asked what they currently see as the biggest internal security threat to their organisation: 45 per cent said removable storage devices/USBs, 44 per cent said users not following protocol or data protection policies. 39 per cent said it was employees using non-authorised tools/applications.

The post Organisations acknowledge insider threat, but do not address it appeared first on IT Security Guru.