The true scale of the insider threat
UK employees are likely to either maliciously or accidentally disclose confidential information about their employers to unauthorized personnel.
A LogRhythm survey of 3000 UK workers revealed that 37 percent of people have shared privileged company information with their friends and family, while 21 percent of laptop/desktop-owning respondents stated that they have transferred company data to their personal computer, even though more than half of these devices – 58 percent – were shared with, or could at least be accessed by, other people.
Smartphone users also present a risk, with 14 percent admitting that they transfer work data to their personal handsets.
The research also showed that many employees would leak company information to the media if they thought their employee was acting immorally or illegally, with 26 percent willing to become whistleblowers. A further 34 percent stated that they would report this activity to the police.
When asked about the scale of the security risk posed by employees, 82 percent of respondents stated that they believed the insider threat to be equal to or greater than the threat posed to organizations by external attackers.
“This research shows that there are many ways in which security breaches can occur, regardless of the insider’s intentions,” said Ross Brewer, vice president and managing director, international markets, LogRhythm. “In transferring information to a personal laptop or smartphone, an insider is putting that information at risk of misuse. It need not be deliberate action but simply carelessness that does the damage. Moreover, the willingness of employees to gossip about confidential information with their friends and families, and even to deliberately disclose information to non-colleagues, shows that organisations should be very concerned about the information they make available to insiders.”
The survey also suggests that the security risks posed by employees may worsen in the future, as workers between the ages of 18 and 24 were routinely the worst offenders. They are more likely to transfer confidential information to external devices, particularly to smartphones where figures were 10 percent higher than average at 24 percent. This group was also more likely to share information with friends and family, with 40 percent doing so.
“Despite the readiness of some of those surveyed to reveal confidential information about their organisations, many of those same people also believe that stricter rules need to be enforced and are concerned about treatment of their own information,” continued Brewer. “65 percent of those surveyed worry that their personal data might be misused by banks, shops, local councils or other organisations they interact with. Judging by the risks they themselves take with their own employers’ intellectual property, they are probably right to be nervous.”
When asked about how easy it was to access company secrets, 19 percent reported that there was no policy restricting access to information on the company network, while a further 15 percent said that although there was a policy, it was still possible for unauthorised people to access privileged content. Support for more stringent security procedures was high, with 63 percent favouring strictly enforced policies to prevent unauthorised staff from accessing data, 60 percent advocating disciplinary action for staff in breach of the rules and 52 percent backing the use of technology to monitor access to restricted files.
“While stricter policies and disciplinary action may deter some staff, it is only by continually monitoring networks that organisations can detect anomalous activity and minimise the risks of leaks occurring in the first place,” said Brewer. “For example, deploying a Protective Monitoring system that enables the analysis of log data in real-time means that if a leak were to occur, it would be detected and dealt with straight away. This is vital for minimising the significant reputational and financial damage that can occur as a result of a security breach.”