eWeek Security Watch
Advertisement
Advertisement
November 17, 2008 9:48 AM

Insider Threat Driving Many Data Loss Events



Cisco published the final installment of its comprehensive study into data leakage trends last week, with the latest results highlighting the continued contribution of insider activity to the overall problem of electronic information loss.

According to the report, based on a survey of 10,000-plus workers worldwide conducted for Cisco by pollsters InsightExpress, both malicious and inadvertent incidents carried out by privileged insiders remain one of the leading drivers of undesired data exposure.

As with previously-reported findings of the Cisco research, the new results point to disconnect between perceptions of acceptable computer use among workers, IT security teams and IT management as the leading contributor to the problem of employee-driven data leakage.

For instance, a vast majority of the IT decision makers surveyed for the report replied that employee use of non IT-approved programs and applications contributes to between 1-24 percent of all corporate-related data loss and identity theft.

Roughly 40 percent of IT managers participating in the survey admitted to researchers that they have been forced to deal with workers who gained access to an unauthorized physical locations or networks in the last year. However, in some regions, including China, the issue has reared its head on an even more widespread basis, Cisco reported.

Another 40 percent of managers contend that their employees have allowed unauthorized outsiders to use their work devices or network privileges, highlighting yet another serious risk to information loss.

Among end users, 40 percent (apparently the report's magic number) of those people responding to the survey said that they have shared sensitive information with outsiders merely to gain feedback on their ideas. Another 30 percent said that they've done so to vent about the nature of their work, and said that they saw no reason to worry about doing so.

Some two-thirds of workers participating in the study admitted to engaging in routine activities that directly threaten data security, including behaviors such as leaving their computers unattended overnight without first logging off.

Only 50 percent of the end users surveyed for the report who work remotely said that they actively monitor their surroundings to ensure that they aren't being spied on, and in some countries, such as Japan, as many as 25 percent of workers indicated that they take no security measures at all when working outside of protected environments.

Among the other significant findings of the report were that 39 percent of IT professionals believe that insiders pose a greater risk for data leakage than external parties. Some 20 percent of IT pros replied that sheer negligence, versus malicious intent, remains the biggest issue among insiders.

Technologies including removable hard drives have also become a major concern for IT security pros, with roughly 30 percent replying that USB drives and other similar devices have become their most significant issue, followed by e-mail at 25 percent. Lost or stolen devices remain another major challenge, cited by 19 percent of IT pros as their greatest data security worry.

Some 10 percent of the workers participating in the survey admitted that they had lost or had a corporate device stolen in the past year, creating a data loss incident for themselves and their companies, Cisco said.

Purely malicious behavior, such as stealing and selling data or devices for a profit, seemingly remains less of an issue for most of the organizations represented in the research, but it is a surprisingly significant factor in information loss, with 10 percent of the workers responding to the study copping to either doing so themselves, or knowing a fellow employee who did so.

Cisco's internal security chief said that the blurring of work environments, rapid technological advancement and the demand by employees to use technologies they embrace at home in the workplace are other major data loss drivers.

"The blending of work vs. home and public vs. private means that data can be accessed, transmitted, stored and stolen from anywhere at any time," John N. Stewart, chief security officer of Cisco, said in a report summary. "As a result, the approach to data protection must change. From the largest corporate enterprise to the youngest consumer, we all share the responsibility to maintain awareness and discipline in protecting information. As we've said all along, this research presents an opportunity to evolve security toward a necessary combination of education, policy and technology."


Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

Posted by Matthew Hines on November 17, 2008 9:48 AM

| Comments (3) | del.icio.us | digg.com | Trackback | Post a Comment
TrackBack

TrackBack

http://securitywatch.eweek.com/cgi-bin/mte/mt-tb.cgi/15743

Comments (3)

John Franks :

I like to pass along things that work, in hopes that good ideas make their way back to me. Data breaches and thefts are due to a lagging business culture – and people aren’t getting the training they need.

As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.

The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html -

The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.

In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a breach.

Posted by John Franks | November 18, 2008 12:37 PM

Maven :

The points mentioned in this article are absolutely the case. After years of intensely developing Internet based technology and applying it to our work and home environments it's clear that the line between private and public, work and home is virtually non-existent. From the youngest consumer to corporate enterprise executive, everyone should have the capability of properly guarding the information they own or for which they're responsible. That is why the fundamental idea behind Fortressware (www.fortressw.com) has been that data needs to be protected from unauthorized access continuously, from the point it is created to anywhere it is accessed. You can check it out, and try the Beta program for free - www.fortressw.com/beta_reg.

Posted by Maven | November 20, 2008 2:45 PM

Data Protection :

While I have no reason to refute the numbers in this case, I still point the finger at the companies, rather than the employees. There are so many ways to make sure that your workforce is compliant. If their respective networks are suffering because of a LACK of compliance, they should just bite the bullet and implement company wide compliance measures. All of the rules are undoubtedly laid out in all of their employee handbooks and hire agreements, etc, so they feel as though they have covered their bases. Still, you need safeguards in place because, as we all know, idle hands tend to wander, regardless of the printed word.

Posted by Data Protection | November 3, 2009 12:26 PM

Post a Comment

 
 
RSS Syndication

Security News

Advertisement

Adware

Apple

Applications Whitelisting

AV tools

Backdoor

Blacklisting

Blended attack

Botnets

Browsers

CAG

China

Cisco

click fraud

Corporate espionage

Cyber-war

Data Security

Data securityAdd category

Database security

DDoS

Disaster Planning

eBay

Enterprise security strategy

Ethical hacking

Exploits and Attacks

Facebook

Flaws

Google

Government standards

Hactivism

Identity Theft

iframe

Illegal pharmacies

Infrastructure security

Intrusion Detection/Prevention

ISPs

Malware

Mergers and Acquisitions

Messaging security

Microsoft

Microsoft Windows

Mobile malware

NIST

Online malware

Open Source

Oracle

Patches

Phishing and Fraud

PowerPoint

Privacy

Product Reviews

Products

Regulation

Risk Management

Rogue AV

Rootkits

SaaS

SCADA

Search

SEO

Smartphone security

Social engineering

Social networking

Spam

SQL injection

Trojan attacks

Twitter

video games

Virus and Spyware

Vulnerability Research

Web 2.0

YouTube

Advertisement
Security Watch     Contact Us | Advertise | Site Map
eWEEK Quick LInks

Security:
Enterprise Security
Network Security
Infrastructure Security
How To: Data
IT Security News
Cheap Hack Blog
Security Watch Blog
Storage:
Data Storage
Cloud Storage
Storage Virtualization
Network Access Storage
Storage Reviews
Data Storage News
How To: Storage
Storage Station Blog
Computing:
Apple OSX
Linux Systems
Windows Vista
Managed Print Services
Cloud Computing
PC Reviews
Microsoft Watch Blog
Apple Watch Blog
Google Watch Blog
Communications:
VoIP Solutions
Wireless Technology
Messaging Software
Web Services
Mobile Applications
Wireless News
Mobile Reviews
Apps & Development:
Application Development
SAAS
Search Engines
Database Software
Web 2.0
IT Project Management
Emerging Tech Blog
CIO Insight Blogs
CIOs

Vertical Markets:
Federal Government IT
Health Care IT
Finance IT
Mid-Market
Channel Partners
Careers Blog
Value Added Resellers
More eWeek Links:
Tech Knowledge Center
Tech Newsletters
Tech RSS Feeds
White Papers
Tech Podcasts
Tech Videos
Green IT
eWeek Magazine Subscriptions
Enterprise Websites:
ZDE Home
Baseline
Channel Insider
CIO Insight
eSeminars
eWeek Mid-Market
Publish Online
Web Buyers Guide
Developer Websites:
Dev Shed
DeveloperShed
ASP Free
MS DevSource
SEO Chat
Codewalkers
Tutorialized
Scripts.com
Dev Mechanic
Dev Articles
Web Hosters
Dev Hardware
Technology Websites:
Device Forge
Desktop Linux
Linux Devices
Windows for Devices
iGrep Search Engine
PDF Zone
Linux Watch

Use of this site is governed by our Terms of Use and Privacy Policy
Copyright ©1996-2008 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt, and eWeek Security Watch are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.
eWeek is your best source for the latest Technology News.
Hosted by Hostway.

Ziff Davis Enterprise