Internal risk biggest danger, say CSOs

Internal risks, including information leakage, data theft, and employees and partners, continue to represent the greatest threat to corporate information security, a recent industry survey has found.

The poll of more than 40 IT security directors, taken at CSO Interchange, a seminar for blue-chip information security officers run by on-demand security provider Qualys, found that information leakage represents a “serious problem” for 45% of organisations.

A further 45% of respondents said information leakage was a “problem”, while only a meagre 5% could say definitively that it is “not an issue”.

Data theft is an area of particular concern, the poll revealed, with 15% of respondents admitting that their organisations have “no controls in place” to manage the threat. Of those organisations that do have controls, a staggering 67% agreed that these are “not robust”.

More worryingly, nearly 10% of information security directors said the risk of data theft has never even been assessed.

So-called insiders, including employees, partners and virtual workers, represent the single greatest hazard where corporate information security is concerned, outstripping vulnerabilities and malware, the survey found.

In sum, the poll revealed an information security community preoccupied by an expanding range of internal risks, with 64% of respondents finding it more difficult to secure their networks in the current corporate environment, compared to only a year ago.

The findings come just as a series of warnings, issued by global credit checking organisation Experian, security giant McAfee, and even MI5, have served to underline the truly startling global scale of corporate espionage, and IP and data theft – perpetrated by both outsiders and insiders alike.

On Monday, The Times newspaper reported that none other than Shell and Rolls Royce have recently fallen victim to sustained spying attacks, in which confidential information was stolen.

Such activity is being driven by the international trade in corporate and personal data, which many security experts argue has effectively become a currency in itself, lubricating a global shadow economy.

Meanwhile, innovations in mobile working, data capture mechanisms, and dramatic changes in corporate business models, have served to all but dissolve both the concept and reality of a corporate boundary or outer “wall”, facilitating the large-scale theft of data from multiple points of access.

November's spectacular HMRC data breach, in which the personal details relating to nearly half the country were allegedly lost in transit, has also highlighted the threat presented by the systemic failure of process controls and the sheer incompetence of employees.

The CSO Interchange poll findings suggest that many organisations are struggling to get to grips with the inherent complexity of these problems, even if the awareness of such issues is on the rise.

Further reading 

Lord Erroll: HMRC breach a "godsend"

McAfee: Cyber-espionage resource drain

MI5: E-espionage resource drain

Inside job

UK child database delayed

HMRC breach sparks finance fears

Find more stories in the Security & Continuity Briefing Room

Pete Swabey

Pete Swabey

Pete was Editor of Information Age and head of technology research for Vitesse Media plc from 2005 to 2013, before moving on to be Senior Editor and then Editorial Director at The Economist Intelligence...

Related Topics