By Daniel Hunter
Clearswift, the global cyber-security company, unveiled its latest research report, The Enemy Within 2013, identifying the extent to which internal security threats are affecting UK organisations, and how these are being managed.
The research has shown that improving and maintaining IT security remains a top three priority for 46% of organisations — and rightly so, as 83% of organisations had experienced some form of data security incident in the last year.
However it appears that their focus on the type of threat is misguided: many organisations are fixated on external security incidences, such as cyber-criminals and hackers - over two thirds (69%) of respondents named protecting sensitive data from outside threats as a key driver for them.
When the reality is that 58% of respondents estimated that data security incidents within their organisations over the last year have come from across the extended enterprise — e.g. employees, ex-employees and trusted partners — compared with 42% attributing them to outside the organisation.
The internal threat - either by human error or malicious intent, lack of awareness of security policies and the use of personal devices on the corporate network - is fast becoming the enemy within. The increased uptake of ‘bring your own device’ (BYOD), cloud-based tools and the reliance on the extended enterprise to share information across global and diverse networks and with third parties are all building towards perfect security storm conditions ahead.
“These findings are a wake-up call to UK businesses. Internal threats don’t make the headlines quite as much as Far Eastern hackers, but must be taken more seriously by businesses as they are having a major impact on organisations far beyond the confines of the IT department," Guy Bunker, Senior vice president of products at Clearswift, commented.
So where are these internal threats coming from? Across the extended enterprise, 33% was attributed to employees, 7% were the result of ex-employees and 18% were due to errors incurred by third parties. A key factor to the security storm is BYOD which is proving to be an unstoppable force, driven by employees’ desires to use familiar equipment that will help them do their job better.
The survey found that the top three BYOD threats are believed to be employee use of USB or storage devices to save company data, inadvertent human error (e.g. sending an email to the wrong recipient) and employees sending work-related emails via personal email accounts or devices. It is likely that the 7% of security breaches caused by ex-employees cited above were made possible by weak security measures around BYOD.
The proliferation of BYOD must be addressed in order to avoid further security incidents. However, only 31% of organisations are accepting or proactively managing BYOD — the rest are resisting and blocking access where possible (52%) or denying it altogether (11%). This is despite the belief by half (53%) of the respondents that users will continue to use their own devices on the network, whether it is sanctioned by IT or not.
“Any organisation that does not take BYOD seriously is simply setting themselves up for a fall. It must be recognised within the security policy or there will be repercussions for the business - compliance, regulation, financial costs in the form of hefty fines, as well as reputational damage of the organisation," Guy Bunker adds.
Recent headline grabbing stories have ensured that cyber-attacks remain a concern for organisations and keep IT security high on the corporate agenda; however, 72% of respondents surveyed are struggling to keep up with changing security landscape. Despite this, 81% think all companies should be more forthcoming about reporting major security breaches and attempts — perhaps in recognition of forthcoming UK government and EU legislation to make companies publically share these incidences.
“This research validates how much of a priority internal data security is for businesses; we know that it is a fast-changing environment and that organisations do struggle to keep up with the external, as well as the emerging internal threats," Heath Davies, CEO of Clearswift commented.
"A comprehensive security plan will cover all of these and should be backed up with a visible and tangible security policy to ensure the enemy within is not afforded the opportunity to incur any financial loss or reputational damage to the organisation.”
Join us on