Disgruntled employees and other malicious insiders could be one of the most serious security threats companies face – but the importance of the threat from the ‘enemy within’ varies according to who you ask.
A survey of IT security professionals at this year’s Infosecurity Europe trade event found that a (20%) of organizations believe that insider threats pose the most serious threat to corporate security, according to Information Age.
The opinion of IT professionals surveyed at the RSA found that the largely U.S. group under survey believed that outsiders posed a far more serious threat than insider threats – and just 5% of respondents blamed insiders.
Fudzilla reports that nearly two thirds of U.S. professionals regarded outside criminal groups as the biggest threat faced by companies – versus 35% in the UK.
Both groups agreed that employee error and ignorance posed a serious threat to organizations – with 44% of Infosec attendees believing that human error is the most frequent point of failure faced by organizations, along with 33% of those surveyed at RSA.
Both groups were in agreement that employees, rather than technology, were the weak spot in company security systems – with 70% of UK respondents and 71% of US respondents saying that ‘people’ were the weak link in corporate systems.
ESET Senior Research Fellow David Harley said, “I’d have to agree that a very high proportion of security breaches are caused directly or indirectly by people inside an organization, whether it’s a matter of human error, susceptibility to social engineering, bad security management decisions, and so on. I’m not convinced that deliberate malicious action from insiders outweighs all those other factors.”
Both groups cited malware as the most dangerous attack vector, combined with the use of social engineering – and Appriver, the specialist app security company which conducted the surveys said that companies had seen a “dramatic increase” in phishing attacks.
“Whilst the US blames external influences, the UK recognises it is their own people who can act as the weakest link in an organisation’s IT security posture – with ignorance the overarching driver. While it’s hard to plan for ignorance, the combination of education and automation would certainly help mitigate most non-malicious threats especially as many IT professionals have faith in the technology they’re deploying,” said Troy Gill, senior security analyst of AppRiver.
Author Rob Waugh, We Live Security