Top execs blind to insider threat

Employees remain the biggest security threat to enterprises, warns report

Negligent or malicious employees pose one of the biggest security threats to firms, according to a report that reveals over three-quarters of companies have experienced one or more insider-related security problems that were not publicly disclosed.

A global survey of 461 IT and security professionals working at medium to large firms also found that nine out of 10 respondents regarded insider threats as one of their top three security concerns, but half of these staff did not think their chief executive attached the same importance to the issue.

Brian Contos, chief security officer at security management software specialist ArcSight, which commissioned the research, said that because boards have little awareness of the danger from insiders many IT directors find it difficult to get the necessary resources to minimise the risk.

"There is a bit of a generational gap where CEOs don't like to think any of their staff could betray the business, but IT chiefs are more aware that with data no longer locked in silos it is easy for insiders to steal or inadvertently compromise sensitive data," Contos said.

Contos said IT directors need to highlight the scale of the risk and consider adopting enterprise-wide early detection systems alongside traditional measures such as background checks on new staff and monitoring of email usage. He said such systems can monitor the IT use of staff and in some cases physical movements, and detect suspicious behaviour that should be investigated more closely.

However, IT lawyer George Gardiner advised that under privacy regulations firms using such monitoring tools should notify staff that they could be monitored and ensure all checks are reasonable and necessary. He also warned that companies need to consider the possibility that this type of monitoring could alienate staff.

The latest survey follows a separate study last month by data encryption specialist Pointsec highlighting security problems caused by negligent business travellers who lose corporate laptops and mobiles at airports.

The study found a quarter of the machines handed into UK airport lost property departments had no encryption or password security.