The ‘2014 Vormetric Insider Threat Report – European Edition' reveals that more than a quarter (26 percent) of businesses in UK, France and Germany feel vulnerable to the threat of insiders leaking data – either intentionally or unintentionally – with close to half (46 percent) feeling more vulnerable than in 2012. A further 36 percent believe that things have not become easier to manage.
The study, which surveyed 540 senior IT professionals and business decision makers, followed on from a similar study by the companies in the US last year and its findings were discussed in full at a roundtable in central London earlier this week.
The executive summary from the report seemed to suggest that the actions of former CIA contractor Edward Snowden, who continues to leak damaging reports on the level of surveillance employed by the NSA and GCHQ, combined with news of data breaches and government-sponsored APTs, was having a detrimental effect on employers trust of their employees.
“As large-scale breaches, APTs and Snowden-related discussions dominate the news cycle, it is clear that insider threats are among the most prominent IT security issues facing organisations today, a feeling which is reflected within the findings of our report.”
But at an event in London on Tuesday, Andrew Kellett, principal analyst at Ovum, was keen to point out that data breaches, innocuous or otherwise, can often be down to employee mistakes, or even malicious intentions by contractors or suppliers.
“Suppliers, contractors…anyone you don't control properly, will fall under the area of insider threat,” he said. Noting the Target breach he added: “If you set up [credentials] correctly, the business partner wouldn't get a look at that data.”
“Think about administrators, privileged users, and the fact that organisations make data available to contractors and suppliers. You have to think about the bigger picture.
“There are also a lot of concerns about third parties in terms of data compliance, and where the data is held.”
Indeed, the report indicates that sending sensitive data and IT assets to non-technical employees was the biggest risk (49 percent) of insider threat, followed – more surprisingly – by the CFO and CEO (29 percent).
Cloud storage, a topical issue in light of the move to services like Amazon Web Services – was also highlighted as a big concern by 62 percent of businesses, with another 52 percent worried about big data repositories containing sensitive material.
‘Snowden informed their thinking'
What caught our eye on the report was the finding that almost half (46 percent) of businesses now feel more at risk from the insider threat, with another third (36 percent) feeling as though ‘things had not become easier'.
How much had Edward Snowden played a part – considering his leaks came halfway through 2013 – and the growing number of data breaches, and even employee devices.
Ovum's Andrew Kellet admitted that it could be all three but said that Snowden's revelations had, in particular, had a shocking effect on businesses based in the US.
“Overall, and certainly because of the focus on Snowden, US organisations certainly do appear to be more nervous [about insider threat] than in Europe,” he told SCMagazineUK.com. The report seems to back this up, showing that 47 percent of US firms ‘feel vulnerable to the insider threat', compared to 25 percent in Europe.
Alan Kessler, CEO of Vormetric, agreed saying that Edward Snowden has opened their eyes to the dangers not only of the insider, but the insider with the required privileged-user access rights: “Snowden informed their thinking.”
Spending on the rise
The positive in all of this is that European companies are at least prepared to spend to mitigate against the risk – 66 percent plan to increase their IT budgets as a direct response.
Perhaps this should come as little surprise – Target's margins have reportedly dropped by 50 percent since the data breach late last year, while a recent study by Semafone shows that 86 percent of consumers shun brands who have had an incident like this.
Both Vormetric and Ovum speakers weren't overly clear on where this spend is going – be it big data or SIEM solutions for logging, or to security awareness training for educating staff – but stressed that encryption and identity management is the key going forward.
On the matter of logging, Kellet said that there must be easier ways to manage what's going on.
“European companies are fairly sophisticated in monitoring via logs at the security operations centre, but there is more room for improvement as far as insider threat is concerned.
“[They've] got to make it a lot easier to analyse the data, seeing the bigger picture of what is going on. The average time for detecting data breaches is quite long.”
Fears heightened with new EU DPA
On the subject of breaches and fines, Kellet admitted that fears over insider threat are likely to rise should the EU's proposed Data Protection Act reform become reality.
The draft bill proposes fines of up to five percent of global turnover (or €100 million) as well as regulatory reporting within 72 hours.
Kellet admitted that DPA will make people more worried. “Yep…it will tighten up rules, and introduce heavier fines,” he said of his belief that business decision makers will worry more of this kind of threat in future.
Speaking prior to the results of the study, Stewart Room, privacy lawyer and partner in Field Fisher Waterhouse's Technology and Outsourcing Group, said that insider threat is a culmination of a number of issues.
“Clearly, compliance requirements, privacy regulations and ongoing data breaches are having a strong effect on organisations,” said Room.
“With 66 percent planning to expand IT security spending to offset insider threats, and the challenges they are seeing with protecting data within cloud, mobile and big data environments, enterprises are seeing that their security posture needs to be updated, and are taking steps to do so.”