Rogue employees are the biggest threat to information security, although there is little investment in training or compliance.
Based on a poll of 79 attendees at last week’s Infosecurity Europe 2014 by the BSI, 37 per cent of those respondents said the biggest threat was rogue employees, higher than cyber attacks (19 per cent) and bring your own device (15 per cent).
Suzanne Fribbins, risk management expert at BSI, said that it was no surprise to see insider threats as the biggest risk to information security, as employees will always be the one thing that cannot be controlled. “Employees don’t necessarily have to be malicious to put a company at risk; they may just not understand the possible risks associated with their actions.”
Speaking to IT Security Guru, Tom Cross, director of security research at Lancope, said it is important to differentiate the different classes of insider threat; as some insider threats come as a consequence of employee negligence. “Such as someone leaving a laptop with sensitive information on an airplane, or someone setting up a development website on the internet with real customer data,” he said.
“These are by far the most common causes of sensitive data loss by organisations. In other cases, malicious employees intentionally steal information. Of course, employee credentials or computer systems are sometimes compromised by external attackers. Each of these three categories of insider threat: negligent insiders; malicious insiders; and compromised insiders, require distinct responses within an information security program.”
The recent Verizon data breach investigations report found that the use of stolen and/or misused credentials (user name/passwords) was the main way to gain access to information, with two out of three breaches exploiting weak or stolen passwords.
The survey also found that 52 per cent of respondents had implemented an internal information security policy, while 47 per cent had provided staff training. Asked if he expected that training would be adopted by the large majority of respondents, Cross said that employee training can have a huge impact on all kinds of insider security threats, and is training is the most effective means to combat employee negligence that results in data loss.
“However, it also helps if the organisation puts thought into how to ‘keep honest people honest’ by ensuring that good information handling practices are the also the path of least resistance for getting work done in the organisation,” he said.
“Training can also have an impact on certain compromise vectors like spear phishing. Although some employees will not respond to training, others will, and often a sharp eyed employee can be your first indicator that a sophisticated attacker is attempting to use spear phishing to compromise your organisation.”
Also, the survey found that 29 per cent of respondents are either certified or operating in compliance (34 per cent) with ISO 27001, while a further 23 per cent indicated they were looking to certify in the immediate future.
Cross said: “Compliance frameworks like ISO 27001 can help you organise your information security program and explain the actions you are taking to management as being consistent with best practices. However, robotic compliance with standards should not be the driver of your information security efforts, as inevitably a minimal effort to meet standards complia
nce will leave important gaps in your defences. You should focus on protecting the organisation first by addressing the most important attack vectors, and then align those efforts to standards as a secondary step.”