The recently published 2011 CyberSecurity Watch Survey claims to show that 21 per cent of attacks on organisations are caused by insiders.
And the report also points out that the percentage of those viewing the insider attacks as more costly is up this year (33 per cent) on the 25 per cent reported last year.
The report is also very interesting as it defines an insider as being an employee or contractor with authorised access, as well as noting that these types of attacks are becoming more sophisticated, where the user employs different Rootkits and hacking tools. This is a significant shift, as so far insider attacks used to rely on very simple techniques and tools (available with any work station).
There is a greater problem here that flies in under the radar, and does not seem to be included in the statistics. This centres on the threat of the individual who has no deliberate intention to cause the company any damage. Rather, the insider threat is mostly caused by an employee that collects information rightfully over time and the information is not removed when the employee leaves the company.
The danger here is when the employee re-uses that data at their next place of employment, or, as sometimes happens, the data `leaks’ from the employee’s own computer.
Another survey of over 1,000 UK employees found that 85 per cent of employees carry corporate data in their home computers or mobile devices. And 79 per cent of those surveyed revealed that their organisation does not have – or the employee is unaware of – any policy to remove company data from their laptop or other portable device when they leave the company.
Against this backdrop, I recommends that whilst companies scurry around to defend their digital assets against the apparent insider threat, they need to also need to defend against those members of staff who plan to take data with them when they move on to another organisation.
Approaching a review of a company’s security policies and controls from this angle means that the process is not as futile as some professionals think it is, but rather assesses and prioritises the largest risks in a logical manner.