Around a third of breaches are the result of the “insider threat”.
According to Forrester’s recent report “Understand the State of Data Security and Privacy” found that 36 per cent of breaches were the result of some kind of misuse of data by employees. In defence of employees, the report found that only 42 per cent of staff said that they had received training on how to stay secure at work, while only 57 per cent said that they were aware of their organisation’s current security policy.
Speaking at a recent roundtable hosted by Canon, Adrian Davis, principal research analyst at the Information Security Forum, asked how many employees had actually read their policy after initially signing it. “With a policy, you would be lucky to see anything as most people don’t get it. Having a policy is not enough, you have got to do something with it,” he said.
Commenting, Dwayne Melancon, CTO of Tripwire, said that from an employee training and retention perspective, he had seen great success with coupling awareness training with follow-on retention test and “secret shopper” style testing to determine whether employees are actually hanging on to the information they are expected to know.
“One way to make this cultural emphasis stronger is to provide reports on the retention scores of employees, but organise it according to the business executives to whom they report. This ‘improvement by competition’ approach can help the cultural shift happen more quickly – after all, no executive likes to be at the bottom of the list,” he said.
The Forrester report’s data also found that between January 1st and 27th August of this year, the publicly reported sources of incidents included 447 due to external issues, 360 internal and 83 were down to third-parties. The most common ways a breach occurred was due to inadvertent misuse by an insider (36 per cent), while a loss of corporate asset or device was 32 per cent. The statistics were based on 512 businesses in North America and Europe who had suffered a data breach in the past 12 months.
Based on a survey of 4,262 employees in North America and Europe, 61 per cent said that they followed the policies “that were in place for data use and handling”.
Melancon said that the results came as no surprise, as insiders have the most unfettered access to critical systems and data so it stands to reason they would be a top vector for attacks and data disclosure problems.
“This data drives home the need for enterprises to monitor their systems and data for suspicious changes and activities, regardless of the source. Merely watching network traffic is not sufficient,” he said.
“This report states that 36 per cent of attacks were a result of inadvertent misuse of data by employees, which indicates we have a lot of work to do to create an informed user community inside our enterprises. Policies are just expectations until employees are give the means and oversight to enforce your corporate policies. If they don’t know any better, you can count on them doing something inappropriate with your data, regardless of their intent.”
Amar Singh, chair of ISACA UK’s Security Advisory Group, said that a more sensible and practical approach could be to identify the people that access known critical data sets like HR, legal and then follow due process, engage and encourage these critical resources to gradually embed and increase security
controls in their day to day operational activities.
controls in their day to day operational activities.
He said: “It is also crucial to define what is normal for your organisation and apply simple tweaks to existing systems to generate alerts on abnormal activity; for example, is the HR administrator accessing the salary package at 9pm a normal and acceptable event?”
TK Keanini, CTO of Lancope, said: “The rise in insider threat represents a trend that has been going on for quite some time. Attackers used to ‘push’ their attacks to servers, now the dominant tactic is to just have the inside user ‘pull’ the attacks into the enterprise where they can be installed and persist over long periods of time.”
