Your staff - not hackers - are the biggest IT security threat

Sep 15 2006 by Nic Paton Print This Article

Negligent or malicious employees pose one of the biggest security threats to businesses, with more than three-quarters of companies having experienced one or more insider-related security problems that were not publicly disclosed.

While businesses are keenly aware of the danger of rogue hackers, often teenagers operating from back bedrooms, in fact, the survey of 461 IT and security professionals has found, it is insiders who pose a much greater threat.

The survey security management software specialist ArcSight found that nine out of 10 businesses polled ranked insider threats as one of their top three security concerns.

Yet half of these IT staff did not think their chief executive attached the same importance to the issue.

Brian Contos, ArcSight chief security officer, said because boards had little awareness of the danger from insiders, many IT directors found it difficult to get the necessary resources to minimise the risk.

"There is a bit of a generational gap where CEOs don't like to think any of their staff could betray the business, but IT chiefs are more aware that with data no longer locked in silos it is easy for insiders to steal or inadvertently compromise sensitive data," he said.

IT directors needed to highlight the scale of the risk and consider adopting enterprise-wide early detection systems alongside traditional measures such as background checks on new staff and monitoring of email usage, he advised.

Such systems can monitor the IT use of staff and in some cases physical movements and detect suspicious behaviour that should be investigated more closely.

But IT lawyers have warned there are also privacy regulations to take into consideration, and firms using such monitoring tools need to notify staff that they could be monitored.

They also need to ensure all checks are reasonable and necessary and consider the possibility that this type of monitoring could alienate staff.

The survey, said technology magazine IT Week, follows a separate study last month by data encryption specialist Pointsec.

This highlighted security problems caused by negligent business travellers who lost corporate laptops and mobiles at airports.

A quarter of the machines handed into UK airport lost property departments had no encryption or password security, it found.