Insiders are bigger threat than perimeter: report

Employees falling prey to social engineering ploys or with an agenda pose the “biggest threat to company security,” concluded a new report from Nuix.

Based on responses from 28 corporate security executives across 10 business sectors, the survey found 93 percent claimed human behaviour was the biggest threat to their organisations' security, up from 88 percent in 2014. 

This is the first time that Nuix collaborated with Ari Kaplan Advisors to track developments influencing corporate security strategy. The report is called “Defending Data: Turning Cybersecurity Inside Out With Corporate Leadership Perspectives on Reshaping Our Information Protection Practices.”

According to the report, 71 percent of respondents have an insider threat programme or policy; 21 percent attributed some of their security team's spending increases to additional protections against internal hazards and 14 percent reported allotting 40 percent or more of their budget to insider threats.

Human behaviour within companies, prompted by losing out on a promotion or impressing the competition with proprietary sales leads, more likely will lead to a data breach than an outside attacker, Keith Lowry, Nuix senior vice president for business threat intelligence and analysis, told SCMagazine.com.  

“When [companies] do vetting, such as background checks at the time of hire, that's not a good indication of what they might do in the future,” said Lowry, citing Edward Snowden and Chelsea Manning as two individuals who had passed security clearances, only to abscond with data.

But the research found anecdotally that companies treat the insider threat as a risk management matter, Lowry noted. Even if certain employees are found to being stealing company information, typically organisations will make an offer to keep them, depending upon their value to the particular company, he noted.

Lowry cited a situation with which he was familiar prior to joining Nuix: a CTO was caught taking material and was told, “We know what you're doing, but we don't want to lose you. We really value you as an employee.” Both parties agreed to certain terms going forward.

It behooves organisations at the point of hire to spell out internal monitoring policies to new employees, so they're aware they could be discovered taking what they shouldn't, Lowry said. Another is to review access privileges.

Typically, companies don't quickly terminate an employee in an inside data theft situation for fear of public reaction, such as the company's stock price being negatively impacted or its reputation damaged, he pointed out. Such a mitigation approach to the internal threat focuses on “critical value data – how many people have access to things that really matter to the company,” Lowry said.