Despite the perception that hackers are an organisation’s biggest cyber security threat, insiders – including careless or otherwise naive employees – are now viewed as an equally important problem. That’s according to the results of a detailed study conducted by Dimensional Research on behalf of Preempt.
‘The Growing Security Threat from Insiders’ Report finds that 49% of IT security professionals surveyed were more concerned about internal threats than external ones, with the majority (87%) most concerned about naive individuals or employees who bend the rules to ensure their job is done. Only 13% were more concerned about malicious insiders who intend to do harm.
Malware unintentionally installed by employees ranks as the top internal security concern, with 73% of respondents claiming they were worried about this aspect ahead of stolen or compromised credentials (66%), snatched data (65%) and the abuse of admin privileges (63%).
“According to the survey respondents, internal threats are emerging as being equally as important as external ones,” stated Diane Hagglund, founder and principal of Dimensional Research. “This means that an employee cutting corners to try and ensure that their job’s done more efficiently is viewed as being potentially every bit as dangerous as a malicious external hacker, yet these views are not reflected in the allocation of security budgets, which are traditionally focused on perimeter security.”
In addition to concerns about insider threats, the report also analyses cyber security training and end user engagement programmes. While nearly all of the organisations surveyed (95% of them, in fact) provide end user security training, very few (just 10%) believe this training to be very effective.
Cyber security is also a major concern for business continuity professionals, with cyber attacks and data breaches featuring yet again as the top two threats in the Business Continuity Institute’s most recent Horizon Scan Report. It’s perhaps for this reason that it has been chosen as the theme for Business Continuity Awareness Week 2017 with the intention of improving an organisation’s overall resilience by enhancing cyber resilience, and recognising that people are key towards achieving this end goal.
“Intentional or not, insider threats are very real,” commented Ajit Sancheti, co-founder and CEO of Preempt. “From Snowden through to the FDIC, new headlines continue to emerge. It’s obvious that we need to adopt a new approach in order to stay ahead of insider threats. Without real-time prevention solutions and improved employee engagement, these threats will not only increase, but also find more sophisticated ways in which to infiltrate and navigate a network. The future of security practices relies on security professionals’ ability to not only understand users and anticipate attacks, but also on how to mitigate threats as quickly as possible.”
Human behaviour “greatest threat to cyber security”
Information security practitioners almost universally agree that human behaviour is their largest security threat, with 97% of security executives surveyed agreeing that it was their organisation’s greatest vulnerability. This is the key finding of a study recently conducted by global technology company Nuix.
To counter the threat posed by human behaviour, businesses are becoming less likely to use fear in order to convey important security ideas. Only 24% of the late 2016 survey’s respondents tried to scare people into improving security, compared to 39% in 2015. Instead, security leaders are using policies, awareness and training to help people become part of the solution.
The Defending Data Report 2016 notes that, while businesses are investing to develop broad and mature cyber security capabilities, many survey respondents are uncertain about the most effective technologies and capabilities upon which to focus. Nearly four in every five respondents (79%) said they had increased spending on data breach detection in the past year, while 72% said they planned to do so in 2017. However, a majority of respondents (52%) said preventing data breaches was their top spending priority, while 42% said detection was their primary focus.
“Where this breaks down is that, even after they’ve received security awareness training, a large proportion of people will still put their organisations at risk by opening malicious attachments and visiting suspect websites,” explained Dr Jim Kent, global head of security and intelligence at Nuix.
“While the policies and training are crucial, we need to become far better at ‘idiot-proofing’ our technology such that, even if people do the wrong thing, the malware doesn’t run or otherwise doesn’t achieve its end goals.”