All we can say is this: What took so long? This TechWorld story reports on findings from the Computer Security Institute that say insider threats have moved ahead of viruses in the number of reported incidents. That makes perfect sense. While viruses certainly have not gone away, it's clear that the lion's share of attention during recent months has focused on data that leaves the enterprise, either through user laziness, sloppiness or malicious intent.
The story offers a link to a .PDF of the survey, which covered 494 security workers from U.S. corporations and government agencies. The numbers are pretty close, but the dangers from within are greater: 59 percent said they encountered an insider threat during the previous year, compared with 52 percent who wrestled with a virus.
The study also noted that "laptop and mobile device theft" finished a scant 2 percentage points behind viruses. It is on the rise, the survey suggests, and may soon overtake viruses and move into second place. Another interesting finding was that 28 percent of those surveyed said they felt their company was the victim of between one and five attacks specifically targeted at them.
The insider threat, which sometimes is referred to as data leakage -- probably a better label -- is pernicious because it is broad and not necessarily aimed at the the corporate agenda. There are virtually limitless ways in which data can be lost, and IT staffs simply can't keep their eyes on everything. The second complicating factor is that since data leakage is caused by both malicious and non-malicious people, initiatives to squelch it are quite different. Finally, upper-level management often doesn't react until it is too late, since security is not a money maker.
This piece has a good breakdown of just how data leaks. It says that 98 percent of data that exits the enterprise when it shouldn't does so by accident or, in the words of the writer, the "stupidity" of employees. One-half of 1 percent is stolen by professionals who evade detection and 1.5 percent by vengeful ex-employees. It's no surprise that tools that sound alerts when information is leaving against corporate policies are more effective against accidental loss than those trying to circumvent the software. Such tools are available from Reonnex, Vontu, Onigma, Tablus, Port Authority and others, the story says.
People are so intent on identifying villains that carelessness as a cause of data leakage can be overlooked. Enterprise Networking Planet reports on a survey conducted by Forrester Consulting that reveals that more than 20 percent of responding companies inadvertently exposed sensitive data on a blog or public message board during the previous 12 months. The author offers an example: Last summer, AOL accidentally posted information on the search queries of about 658,000 subscribers. The author says that the folks responsible for the problem -- which generated a lot of bad publicity -- certainly had no ill intent.
This post at Ian Yip's Security and Identity Thought Stream summarizes his impressions after spending two months assessing data security and leakage. He concludes that the area is still "the wild west" in that both organizations and vendors are taking decidedly different approaches to the problem. He says that the question of "agent" versus "agent-less" approaches, which are common in the security world, are evident in data leakage as well. The question is whether to put software monitoring node-to-node and perimeter traffic or having an agent on each end device.
On the good news/bad news front, the blogger says that thieves intent on stealing data generally can find a way to do so. However, most people will stop doing things in an insecure manner if they are told. The bloggers says data leakage has a high visibility today and that though compliance remains the main driver of remediative efforts, it is increasingly clear that preventing data leakage contributes to a shorter return on investment.
Since the insider threat and data leakage are such broad topics, there are a lot of technologies that can help. That's good, but it also means that a lot of decisions must be made and priorities set. That's difficult if top level executives are not engaged.
For instance, how deeply should encryption be used? Of course, the more encryption is used, the more secure the enterprise is. However, an increase in encryption systems means that there are more encryption keys to be protected. The use of endpoint-to-endpoint e-mail encryption -- instead of gateway-to-gateway approaches -- also raises issues of increased complexity.