Out-Law News 1 min. read
26 Aug 2009, 5:56 pm
"The exposure of confidential information is now the single greatest threat to enterprise network security," said the 400-company study carried out for RSA by research firm IDC. "Although renegades and rogues can represent a serious threat to an organization, they have recently taken a back seat to the risk of good employees doing bad things inadvertently and/or deliberately."
"Accidental security incidents by company insiders happen more frequently and have the potential for greater negative impact than malicious insider attacks," said a company statement.
"The growing number of incidents in which employees inadvertently violate corporate policy has become the most serious 'insider threat," the report said. "In fact, our research found that organizations experienced an average of 14.4 incidents of unintentional data loss through employee negligence in the past 12 months."
"The majority of organizations (52%) characterized their insider threat incidents as predominantly accidental. We found that only 19% believed insider threat incidents were primarily deliberate," it said.
The study does show that deliberate malice should not be discounted, though. While 14.4 incidents per month are the result of negligence, nearly 12 per month on average are the result of deliberate information security violations and the same number of incidents are down to aggrieved former employees.
"The vast nature of an organisation's infrastructure, coupled with a dispersed, often global employee base, and complex internal user mix of employees, consultants, partners and outsourcers make addressing the risks posed by its internal users the biggest security challenge that [senior executives] currently face: whether the risk is intentional or not, it's there. It's real," said Chris Christiansen of IDC.
"Internal risks are growing and to remain competitive, [executives] must change the way they defend their business and expand security priorities to address the heightened need for protection from risk both intentional and accidental from an insider," said Christopher Young of RSA.
The study found that executives were looking for, and fixing, the wrong problems, leading to the loss of valuable data.
"Malicious insider threats, such as unauthorized access to confidential data and the spread of malware and spyware from within the enterprise ranked highest among [executives'] security concerns," said the RSA statement. "However, the insider security threats that caused the largest number of instances (unintentional data loss through employee negligence) and greatest financial impact (out-of-date or excessive privileges and access control rights for users) were accidental."
The survey questioned 400 companies, 100 from each of the UK, France, Germany and the US. France was the country with by far the highest proportion of security incidents that were predominantly accidental.