Internal threats are being severely underestimated by organisations in comparison with the attention given to external threats.

In a survey of nearly 400 IT professionals, 61 per cent believed that the majority of security breaches were a result of unintentional user activity, while 17 per cent cited intentional user activity.

Also, 67 per cent of respondents said they considered the sharing of access credentials, such as passwords, smart cards and tokens, to be a major concern, while 60 per cent said they did not have two-factor authentication for their internal network.
Ben Boulnois, EMEA director of DigitalPersona, which conducted the research, said this is an issue of business priorities as the security of an internal perimeter is something that is often moved down the pecking order when it comes to setting budgets.

“The external perimeter is the first in line for attention as firewalls and other security measures take the lion's share of the IT budget, and is still considered by senior decision makers as the main route of security threats,” he said.

“It is clear from the results of the survey that the industry recognises that the internal threat, intentional or otherwise, is a real risk.

“However, the fact that there appears to be so few addressing the problem is worrying. The biggest IT security risk to any organisation is the employee, and companies need to put into place security policies that help to prevent the temptation to breach security.”

Ash Patel, country manager for the UK and Ireland at Stonesoft, said: “The use of IPS internally is lax, as the combination of internal and external security is blurred with the use of personal devices and flexible workers such as contractors.”

Recent research into insider threats by Detica found that businesses were less concerned about attacks from their own employees than they were about external attacks – 42 per cent compared with 56 per cent respectively.