Naive employees “driving cyber security concerns” suggest results of Preempt study

Despite the perception that hackers are an organisation’s biggest cyber security threat, insiders – including careless or otherwise naive employees – are now viewed as an equally important problem. That’s according to the results of a detailed study conducted by Dimensional Research on behalf of Preempt.

‘The Growing Security Threat from Insiders’ Report finds that 49% of IT security professionals surveyed were more concerned about internal threats than external ones, with the majority (87%) most concerned about naive individuals or employees who bend the rules to ensure their job is done. Only 13% were more concerned about malicious insiders who intend to do harm.

Malware unintentionally installed by employees ranks as the top internal security concern, with 73% of respondents claiming they were worried about this aspect ahead of stolen or compromised credentials (66%), snatched data (65%) and the abuse of admin privileges (63%).

“According to the survey respondents, internal threats are emerging as being equally as important as external ones,” stated Diane Hagglund, founder and principal of Dimensional Research. “This means that an employee cutting corners to try and ensure that their job’s done more efficiently is viewed as being potentially every bit as dangerous as a malicious external hacker, yet these views are not reflected in the allocation of security budgets, which are traditionally focused on perimeter security.”

In addition to concerns about insider threats, the report also analyses cyber security training and end user engagement programmes. While nearly all of the organisations surveyed (95% of them, in fact) provide end user security training, very few (just 10%) believe this training to be very effective.

Cyber security is also a major concern for business continuity professionals, with cyber attacks and data breaches featuring yet again as the top two threats in the Business Continuity Institute’s most recent Horizon Scan Report. It’s perhaps for this reason that it has been chosen as the theme for Business Continuity Awareness Week 2017 with the intention of improving an organisation’s overall resilience by enhancing cyber resilience, and recognising that people are key towards achieving this end goal.

“Intentional or not, insider threats are very real,” commented Ajit Sancheti, co-founder and CEO of Preempt. “From Snowden through to the FDIC, new headlines continue to emerge. It’s obvious that we need to adopt a new approach in order to stay ahead of insider threats. Without real-time prevention solutions and improved employee engagement, these threats will not only increase, but also find more sophisticated ways in which to infiltrate and navigate a network. The future of security practices relies on security professionals’ ability to not only understand users and anticipate attacks, but also on how to mitigate threats as quickly as possible.”

Human behaviour “greatest threat to cyber security”

Information security practitioners almost universally agree that human behaviour is their largest security threat, with 97% of security executives surveyed agreeing that it was their organisation’s greatest vulnerability. This is the key finding of a study recently conducted by global technology company Nuix.

To counter the threat posed by human behaviour, businesses are becoming less likely to use fear in order to convey important security ideas. Only 24% of the late 2016 survey’s respondents tried to scare people into improving security, compared to 39% in 2015. Instead, security leaders are using policies, awareness and training to help people become part of the solution.

The Defending Data Report 2016 notes that, while businesses are investing to develop broad and mature cyber security capabilities, many survey respondents are uncertain about the most effective technologies and capabilities upon which to focus. Nearly four in every five respondents (79%) said they had increased spending on data breach detection in the past year, while 72% said they planned to do so in 2017. However, a majority of respondents (52%) said preventing data breaches was their top spending priority, while 42% said detection was their primary focus.

“Where this breaks down is that, even after they’ve received security awareness training, a large proportion of people will still put their organisations at risk by opening malicious attachments and visiting suspect websites,” explained Dr Jim Kent, global head of security and intelligence at Nuix.

“While the policies and training are crucial, we need to become far better at ‘idiot-proofing’ our technology such that, even if people do the wrong thing, the malware doesn’t run or otherwise doesn’t achieve its end goals.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts