Last year, I reported on a study conducted by Intel Security that found that 43 percent of data loss was caused by insiders. Even though we know it’s there and that it’s serious, organizations still struggle with the whole idea of insider threats, at least according to several new studies that have come out in the past couple of weeks.
Why is nearly half an organization’s data loss due to insiders? A Fasoo and Ponemon Institute study found that it could be because the vast majority of IT security professionals (72 percent) aren’t confident in their ability to manage or control employee access to sensitive files. Even more worrisome is that these same professionals don’t know where those sensitive files are and have no visibility into what employees are accessing or sharing without authorization. Bill Blake, president of Fasoo, addressed this discovery:
What should be concerning to C-level executives and corporate boards is that most organizations have no idea where mission-critical information is located on the corporate network, who has access and what they are doing with that information. Organizations must be vigilant in applying and enforcing security policies as well as knowing where the organization's most valuable information is located at all times.
The Fasoo study also pointed out that 56 percent of the respondents admitted that they aren’t doing a very good job at educating insiders about the security of sensitive data, adding:
Most companies do not conduct an audit to determine if the use and sharing of confidential documents and files are in compliance with regulations and policies. Those companies that did conduct an audit discovered deficiencies in their document or file security practices.
The Fasoo study mirrors the results found in an Experian-sponsored Data Breach Resolution study from the Ponemon Institute, where 55 percent of respondents said their company suffered a security incident due to insiders, both negligent and malicious. One of the reasons for this, according to 60 percent of the respondents, is that employees aren’t knowledgeable about security risks. Yet, only 46 percent of companies make security training mandatory for employees. Michael Bruemmer, vice president, Experian Data Breach Resolution, said:
Among the many security issues facing companies today, the study emphasizes that the risk of a data breach caused by a simple employee mistake or act of negligence is driving many breaches. Unfortunately, companies continue to experience the consequences of employees either falling victim to cyberattacks or exposing information inadvertently.
The actions of insiders, both intentional and unintentional, can be devastating to a company. What is your organization doing to avoid the security risks of insider threats? If you aren’t able to answer that question, you may find yourself trying to manage an incident sooner rather than later.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.