While the general perception is external threats like hackers constitute the biggest cybersecurity challenge for companies, a Preempt study has found insiders including careless or naïve employees are an equally vexing problem.
According to The Growing Security Threat from Insiders, conducted by Dimensional Research and commissioned by Preempt, 49 percent of IT security professionals surveyed are more concerned about internal threats than external threats. The top concerns of respondents were malware installed unintentionally by employees (73 percent); stolen or compromised credentials (66 percent); snatched data (65 percent); and abuse of admin privileges (63 percent).
“Internal threats are emerging as equally as important as external threats, according to respondents. This means that an employee cutting corners to get their job done more efficiently is viewed as potentially just as dangerous as a malicious external hacker,” said Diane Hagglund, founder and principal of Dimensional Research. “Yet these views aren’t reflected in the allocation of security budgets, which is traditionally focused on perimeter security.”
The study found insider threats are a growing problem for enterprises, and 87 percent of IT professionals are most concerned about uninformed individuals and employees who bend the rules to accomplish their tasks, while just 13 percent were more concerned with malicious insiders set on inflicting intentional harm.
“Intentional or not, insider threats are real,” says Ajit Sancheti, co-founder and CEO of Preempt. “From Snowden to the FDIC, headlines continue to emerge and we need to take a new approach to get ahead of insider threats. Without real-time prevention solutions and improved employee engagement, these threats will not only increase, but find more sophisticated ways to infiltrate and navigate a network. The future of security practices relies on the ability to not only understand users and anticipate attacks, but also how to mitigate threats as quickly as possible.”
The study also underscored the importance of end user engagement for the success of security programs. While 95 percent of those surveyed said their organization provides end user security training, just 10 percent said they believe the training to be very effective. And while 81 percent say end users are willing to learn, just 25 percent say they are willing to exert the effort to learn. Two thirds said they see value in providing real-time training and feedback when an end user does something they shouldn’t.
To help protect against insider threats, security teams need additional solutions and approaches, and the appropriate staffing and training to execute security properly. Only 10 percent describe their security team as lacking necessary skills, while 64 percent have the skills, but are overworked so can’t respond. Meanwhile, 91 percent report that insiders have access to systems they shouldn’t, and 70 percent can’t effectively monitor privileged user activities.