Organizations that have had to let go staff during this economic downturn fear reprisals from disgruntled ex-employees, according to a recent global survey by Ernst & Young LLP. For its annual Global Information Security Survey, the Toronto-based professional services firm surveyed 1,900 organizations, 75 per cent of which reported concern for internal and external attacks perpetrated by ex-staff.
In fact, the organizations reported a rise in IT attacks on corporate Web sites and networks in the current economic downturn, with 41 per cent reporting an increase in external attacks, 25 per cent witnessing an increase in internal attacks, and 13 per cent an increase in internally-perpetrated fraud.
Claude Francoeur, a partner in Ernst & Young’s IT risk and assurance practice, said the survey addressed the risk of former employees having access to sensitive data.
“When we look at the types of the risks that an organization would be concerned about, it would be related to leakage of information,” said Francoeur.
The elevated fear of ex-employee reprisals is compounded by 56 per cent of respondents reporting a scarcity of IT resources, an eight per cent rise from last year. Francoeur said that while this is not a novel issue, the “significant rise” observed this year results primarily from workforce reduction.
But that doesn’t mean that organizations aren’t spending on IT security. Only 19 per cent of respondents said they have not yet taken steps to protect themselves in light of increased fear of IT threats from ex-employees.
For instance, those that are spending money on IT security are doing so in the areas of data leakage prevention (DLP), identity and access management, and change controls.
Respondents also said implementing or improving DLP technologies was the second-highest priority in the next 12 months, with organizations investing in tools and processes to identify and protect sensitive data.
Francoeur isn’t surprised that DLP was rated more importance than even security awareness training and regulatory compliance, given the ease with which data can be easily removed from an organization.
“Even in the past, a number of companies were investing heavily in protecting sensitive data either through content monitoring, filtering tools, laptop and e-mail encryption … more and more we’re seeing the use of additional mobile devices such as PDAs and USBs,” said Francoeur. “So this continues to be a challenge.”
According to Forrester Research analyst Andrew Jacquith, the starting price for a DLP implementation can be pretty high, but prices are expected to fall heading into next year as more vendors enter the market. “We will see price erosion because of competition,” said Jacquith.
And as enterprises look to deploy DLP, Jacquith said they will naturally turn to security vendors with which they already have relationship. “If it’s a big McAfee shop or a Symantec shop, they’ll look there first,” he said.
The DLP market leaders, according to Forrester rankings, are Websense Inc., McAfee Inc., Symantec Corp., CA Inc., EMC’s RSA Security and Verdasys Inc.
Improving information security risk management was the sole area deemed more importance than DLP, the Ernst & Young survey found. This primary focus, said Francoeur, indicates a holistic view of security that is developing within organizations.
Even the art of information security management itself is evolving, as data becomes increasingly easier to take beyond the corporate boundary, said Francoeur.
“[They are] moving away from the approach of keeping bad guys out to protecting data no matter where it resides and using that more information-centric view of security,” he said.
--With files from Ellen Messmer, Network World U.S.
