Insiders Remain Greatest Security Threat

Workers and other insiders admit to risky behavior -- like accessing corporate e-mail from Wi-Fi hot spots -- in a survey by security firm RSA.

By Thomas Claburn InformationWeek December 11, 2007 05:20 PM

The people inside an organization represent its greatest security risk.
That's according to a report (pdf) released on Monday by RSA, the security division of enterprise storage company EMC (NYSE: EMC).

RSA said that the survey was fielded in November and consisted of 126 of person-on-the-street interviews (using questionnaires) of government and corporate office workers in Boston and Washington, D.C.

"The findings of the survey underscore that the threat posed to data by well-meaning insiders -- employees, contractors, suppliers, partners, visitors and consultants who have physical and/or logical access to organizational assets -- greatly broadens that posed by malicious insiders who deliberately leak sensitive data for personal financial gain or other criminal purposes," the report states.

The recent 2007 SANS Top 20, a list of the year's most significant security risks, also noted that computer users tended to be the weakest link in the computer security chain.

What sort of risky behavior are office workers engaging in? Some 52% said they sometimes or frequently accessed work-related e-mail via a public computer, such as a might be found at a Internet cafe, hotel, or airport. And 56% sometimes or frequently accessed work-related e-mail through a wireless hotspot.

Asked, "Have you ever lost a laptop, smartphone and/or USB flash drive with corporate information on it?", 8% said they had.

And 63% of respondents indicated that they sometimes or frequently send corporate documents to a personal e-mail address in order to work on them at home.

While the RSA report suggests that additional security technology can mitigate these risks -- RSA is in the business of selling such things, after all -- it also acknowledges that the blame for users' disregarding security policies belongs in part with the creators of those policies.

"Organizations can mitigate this risk by developing information-centric policies that acknowledge and align with the needs and realities of the business," the report says. "Once such policies are in place, companies should constantly measure actual user behavior against established policy and use what they learn to inform smart policy changes that minimize risk and maximize business productivity. When security is as convenient as possible for end users, they are less likely to work around security policy."

And the fact is for many workers, corporate security policies are either not convenient or are poorly understood. About 35% of respondents said that they felt they needed to work around corporate security policies to get their jobs done.

Sam Curry, VP of product management at RSA, said that the survey respondents were "innocent people working hard to do their jobs" and risks arising from their willful or accidental contravention of corporate policy weren't the product of malice. "Security procedures need to be in touch with the realities of human behavior," he said.

Curry stressed the need for user education, to make workers aware of the consequence of their actions. And he also said that organizations needed tools to monitor employee behavior to understand the gaps between policy and worker behavior. "Organizations need visibility into how people actually behave," he said.