If the turbulent past few months have taught us anything, it's that everything has changed. And that has to include companies' efforts to defend themselves against even their own employees.

Both PricewaterhouseCoopers and security vendor Finjan are predicting the economy will fuel a rise in insider crime.

Yet in a just-released survey by accounting and consulting powerhouse KPMG of more than 5,000 U.S. workers polled last summer, 74 percent said they had personally observed misconduct at work in the previous 12 months. Roughly half (46 percent) reported this misconduct "could cause a significant loss of public trust if discovered," with 60 percent of those in the banking and finance industry saying so. The survey also notes the findings are similar to those of its 2005 report.

And this was before the recent market upheaval.

As Greg Bell, who leads KPMG's Information Protection Practice, puts it:

"So much has changed in just the past two or three months. Historically, in a shaky economy, we've seen incidences of fraud rise, we've seen incidences of employee malfeasance rise. So maybe we need new policies this time, maybe new procedures, and in some cases, new technologies. But so far, I think it just takes a different lens to look at the way you protect your critical information."

But beyond thinking differently about managing insider threat, it requires actually doing something about it.

When Verizon studied more than 500 data breaches — its report was issued in June — it found that in 59 percent of the cases, the organizations had established security policies and procedures, but never actually implemented them.

That illustrates that so far, companies haven't even been doing a good job of putting the latest best practices into actual practice.

What Risk?

Harshul Joshi, director for IT Risk and Advisory Services for accounting-services provider CBIZ, sees at least three types of risk in-house:

1. Disgruntled employees — Unhappy workers who might take your data or trade secrets to set themselves up in their own business, to sell to nefarious types or who might sabotage your systems out of revenge.

2. Naïve computer users — Those who unwittingly infect the network through spam, lose laptops filled with unencrypted data or threaten the business through myriad other accidents.

3. Contractors, partners, supply chain and outsourcers — It's hard enough to keep your own systems and users secure. Keeping tabs on everyone else and their systems — it's just a nightmare.

And the consequences can be even more dire than in times past, Bell points out. If a breach occurs, the damage to your company's reputation could be so severe that it's unable to line up its next round of financing.

But says Joshi: "The biggest mistake companies make is thinking that security is just IT. At the end of the day, it's a business decision."

That's one of the conclusions in a 2007 KPMG survey of 200 C-level executives. The executives reported definite room for improvement despite significant investments in technology to manage employee identities and access. That report advocates putting more muscle into establishing policy to protect the business, rather than just telling IT to take care of it.

Mark McClain, CEO of identity governance provider SailPoint Technologies, says that's something his Fortune 1,000 clients are after, especially when IT doesn't understand when there are conflicting privileges.

"We're finding there's a little bit of pushback coming from IT. Some of it's coming from compliance issues and some of it's coming from all these layoffs. IT is pushing back on the business, saying, 'I can't read your mind,' so to speak," McClain says. 'I don't understand the business policies you want to implement. If you tell me what you want to implement, I can tell you how to best implement that using my technology.'"

Previous Page Next Page