In recent years tales have spread about the growing prevalence of organised criminal networks initiating IT security attacks on businesses from far-off lands. But the UK government’s bi-annual security survey reveals that a more common culprit is rather less glamourous and much closer to home.
The Department of Trade and Industry’s (DTI) Information Security Breaches survey, conducted by PricewaterhouseCoopers, reveals that in 52% of large businesses, the cause of the most severe security breaches has been people within the organisation. But rather than malicious intent, experts have blamed ignorance and poor training for the growing insider threat.
The survey indicated that 68% of organisations carry out periodic audits of their security processes; 63% monitor activity for anomalies; and 39% use software to detect any violations of security policy.
But these procedures did not appear to be working when end users were questioned. Just 31% of staff were aware of their company’s security policy, and only 22% reported that they owned a copy. The survey indicated that the most common forms of abuse occur due to a lack of education among staff.
Speaking during a panel debate at the Infosecurity conference in April, Jason Creasey, senior projects manager at the Information Security Forum (ISF), an independent advisory organisation, recognised how difficult it is to get employees to adhere to policy. The solution, he said, was to ensure that security policy takes into account the way in which individuals like to work; “”Make [it] personal to people and they will in turn help to police it,” he said.
However, Creasey’s fellow panelist Jason DeHaan, a consultant at Internet gaming company Excapsa, took a more dictatorial approach, recommending that companies implement a zero-tolerance policy towards rule-breakers. “Don’t be afraid to make an example of them,” he said.
But DeHaan sympathised with security managers’ difficulties in combating internal abuses. “There isn’t a clear profile of the kind of employee that will misuse systems,” he said. The variance in motives and lack of uniformity in offenders makes them difficult to identify and so take defensive measures against, he added.
Given this handicap, it is perhaps not surprising that security managers’ expectations for improvement in this situation are low. According to the DTI, 68% of large organisations expect to encounter more security incidents next year than they have done in the last twelve months. Pessimism is on the increase, it seems: in 2004’s survey, this number was only 59%.
But for some organisations, the insider threat is nothing new. “I’ve always had suspicions about some of our staff,” said Stephen Bonner, director of technical security at investment bank Barclays Capital, noting that internal fraud has been around a lot longer than the Internet. “We’re well positioned against this because we’re always aware of it,” he explained.