Half of IT Pros Most Concerned About Insider Threats

A considerable proportion of IT security budgets are directed to securing the network perimeter and with good reason. Hackers are breaking through security defenses with increasing frequency and this year has seen some of the biggest cyberattacks ever reported.

However, internal threats should not be ignored. According to a recent Dimensional Research/Preempt study, most IT security professionals believe internal threats have increased over the past few years to the point that they are now of greater concern than cyberattacks by hackers.

For the study, 317 independently verified IT security professionals from organizations that employed more than 1,000 staff members were asked a range of questions about insider threats, including the barriers preventing organizations from mitigating risk and the measures employed to deal with the threat.

When asked about whether they were concerned about internal threats, only one respondent out of 317 said they had no concerns and 49% of survey respondents said they were more concerned about internal threats than they are about external attacks.

The biggest cause for concern – rated by 87% of respondents – was a lack of security awareness and employees bending company rules to get the job done. Other top concerns were accidental malware downloads (73%), theft of user credentials (66%), data theft (65%), and abuse of admin privileges (63%).

Tackling insider threats is proving problematic due to a lack of skills, appropriate technology, and a lack of resources. 10% of respondents said members of the security staff lacked the necessary skills and 64% of respondents said they had staff members with sufficient skill levels to address the risk, but were so overworked that they have been unable to respond to the insider threat.

Risk can be minimized by ensuring that end users only have access to data and systems necessary for them to perform their work duties, yet 91% of respondents said insiders had access to systems that they shouldn’t. Unfortunately, organizations lack the time and resources to address that problem.

A lack of resources and the appropriate technology to monitor data access was also an issue. 70% of respondents said they were unable to effectively monitor the activities of privileged users.

Training end users on security best practices and improving cybersecurity awareness can help organizations reduce risk. 95% of respondents said training was provided to staff, mostly via newsletters and email alerts (68%), online training (61%) and in-person training (47%). However, training programs were not seen as being particularly effective.

Seven out of ten respondents said their training was somewhat effective and only one in ten felt training programs were very effective. One of the main issues was getting end users put effort into learning. The majority of respondents said their organization’s employees were willing to take part in security training, but only 25% said end users actually put any effort into learning about security best practices.

With the threat from within growing, organizations must do more to mitigate risk; however, without an increase in investment, insider breaches are likely to increase. Organizations must also do more to improve their security training and engage end users in training programs.

According to Ajit Sancheti, co-founder and CEO of Preempt, “Without real-time prevention solutions and improved employee engagement, these threats will not only increase, but find more sophisticated ways to infiltrate and navigate a network. The future of security practices relies on the ability to not only understand users and anticipate attacks, but also how to mitigate threats as quickly as possible.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.