No Good News on Insider Threats

We'll dispense with the good news first. There is so little of it in this Information Week report on a Websense survey about insider threats that it makes sense just to be done with it: The sampling is small and those canvassed were in the United Kingdom.

Now that that's out of the way, we can focus the rest of this post on the bad news. There certainly is plenty: For instance, the survey says that 8 percent of employees would "happily" send company information to a friend at a competitive firm, 51 percent think it is very unlikely that their employer would be any the wiser if they did, and 10 percent have accidentally sent out sensitive data. More bad news: 52 percent of respondents tried to hack into another worker's e-mail, 31 percent tried to guess the administrative password for their machine, and 21 percent admitted trying to access files that were off limits to them.

That's a lot of numbers to make a simple point: The survey validates the idea that the greatest threat to organizations is from the inside. This survey, and similar findings elsewhere, suggest strongly that companies need to turn their security gazes inward more fully than they do today. The future is not particularly bright, either, since hacker attention and the prevalence of MP3 players and other portable storage devices will only increase.

If all this isn't bad enough, it seems that the focus of the survey -- outside of the question on accidental e-mail -- points to malicious intent on the part of employees. What about all of the vulnerabilities that stem from ignorance or laziness? The Websense researchers were able to paint this dismal a picture without even asking a question about all those lost and pilfered laptops (granted, this seems to be mostly a U.S. phenomenon). Add unintentional security holes to the premeditated attacks outlined by Websense and a truly troubling picture emerges.