In his article on Network Security Edge, Top 10 Information Security Threats of 2010, Kevin Prince, CTO of Perimeter, talks of two specific employee-related security threats: malicious insiders (a rising threat) and careless employees (a steady threat). In addition, remote workers are a threat that has fallen from the 2009 top 10 list but remains a major problem, nonetheless.
A quick scan of the news shows why employee-related threats take multiple spots in the list. For example, a lost external hard drive resulted in a data loss affecting 1.5 million people. Or the employee at Notre Dame University who posted private employee information on a publicly accessible Web site.
From a data breach perspective, Prince told me, careless and untrained insiders/employees create a far greater threat than malicious insiders. "Of course, when malicious insiders do something, they cause much more havoc and devastation."
One way for companies to protect themselves from any employee-caused breach is security awareness training.
"People have talked about this for years, but I am surprised at how many organizations don't do it or don't do it at needed levels to make a positive impact on their security," said Prince. "You want to create a culture of security awareness, and to do that is to create a program that is ongoing." For example, he added, his company offers a computer-based security training program that includes policies and procedures. Each month, employees are trained on a new topic.
"Customers tend to forgive a company when it is hacked, but have much less sympathy when it is breached from an insider incident," Prince said.