Security Threats Behind The Headlines

Security Policy

Recent headline grabbing stories such as a breach at Sony Playstation and the hactivists at LulzSec, have ensured that cyber-attacks remain a concern for organisations and governments and keep IT security high on the agenda. However the headline grabbing news often focuses on high-profile hackers, and whilst this should be taken seriously our latest research has found that it is actually the internal threat that should be more of a concern.

So where are these internal threats coming from? 58% of threats are from within the extended enterprise; a third was attributed to employees, 7% were the result of ex-employees and 18% were due to errors incurred by third parties. This compares to 42% from external sources. The internal threat can be made up of many factors including human error, malicious intent, lack of awareness of security policies and the use of personal devices, all of which have created a perfect security storm.

A key factor to the security storm is ‘Bring Your Own Device’ (BYOD) which is proving an unstoppable force, driven by employees’ desires to use familiar (and often better) equipment that will help them do their job better. The survey found that the top three BYOD threats are employee use of USB or storage devices to save company data on, inadvertent human error (e.g. sending an email to the wrong recipient) and employees sending work-related emails via personal email accounts or devices.

The proliferation of BYOD must be addressed through improved security policies and awareness training of risks and consequences, in order to mitigate further security incidents. However, only 31% of organisations are accepting or proactively managing BYOD – the rest are resisting and blocking access where possible (52%) or denying it altogether (11%). This is despite the belief by half (53%) of the respondents that users will continue to use their own devices on the network, whether it is sanctioned by IT or not. Whilst BYOD has been a relatively new challenge for the IT department, it is not the only one.

Another potential change is currently being discussed within the EU, the EU draft Data Protection Regulation. Historically we have seen a number of regional regulations and legislation when it comes to actions regarding a security incident. The new proposal however, would encompass the whole of the EU and could consist of a 2% fine on the annual worldwide turnover of a business.

This shock-tactic is certain to raise eyebrows beyond the realms of the IT department, focusing executives on just how they need to protect the information they are responsible for. However we know from our research that the reality is that almost three-quarters (72%) of organisations are struggling to even keep up with the changing security landscape today, let alone updating policies to support the new ways of working and doing business.

Overall, the findings within the survey act as a wake-up call to businesses. Along with the fact that 83% of organisations have experienced some form of data security incident in the last year, it is more important than ever that a comprehensive and tangible security policy that covers the way people work today is in place to avoid the repercussions from a cyber-incident in an ever-changing environment.

Guy Bunker

Dr. Guy Bunker is Senior Vice President of Products for UK-based security company Clearswift and is an internationally renowned IT expert with over 20 years’ experience in information security. Before joining Clearswift in October 2012, Guy was a Global Security Architect for HP. He has recently authored a paper on security for the Elsevier Information Security Technical Report and co-authored the European Network and Information Security Agency (ENISA) report on cloud security. Guy is a frequently invited speaker at conferences, including CDANS, AGC Partners, RSA, EuroCloud and InfoSec. Guy is a board advisor for several small technology businesses and has published books on utility computing, backup and the best-selling "Data Leaks for Dummies" on data loss prevention. He holds a number of US patents and is a Chartered Engineer with the IET.