A survey conducted for a vendor is making the rounds on news sites this morning that suggests infosec pros should be paying more attention to the threats from negligent or careless insiders than attacks from outside the firewall. However, I think the results should be looked at more closely.
The study of 1,071 IT and security practitioners in the U.S. and German was conducted by Ponemon Institute and paid for by Raytheon|Websense to see if cultural differences in the workplace explain how they manage risk.
Asked if more security incidents are caused by unintentional mistakes than intentional and malicious acts, 70 per cent of Americans agreed, compared to 64 per cent of Germans. But almost half in both countries — 49 percent of U.S. respondents and 44 percent of German — said they can’t tell the difference between security incidents caused by employees who are careless and those who are malicious. Those who say they can differentiate between maliciousness and negligence, say it represents an average of 70 percent (U.S. respondents) or 63 percent (German respondents) of all insider security incidents.
The survey also found that German respondents are more likely to agree that their organizations do not have the necessary safeguards in place to protect their organization from careless employees (54 percent of Germans agree and 46 percent of U.S. respondents agree). Respondents in the U.S. are more likely to agree their employees are not properly trained to follow data security policies and senior executives do not consider data security a priority.
What to make of this? Given the high number of attacks that start with staff clicking on an attachment that downloads malware, I’m surprised that more IT pros don’t think security incidents are likely caused by accident rather than deliberate acts. On the other hand, think of the number of successful attacks that exploit unpatched software (servers, Flash, SQL databases) — and whose fault is that?
In both countries at least two-thirds of IT pros say the biggest security risk due to negligence comes from ordinary staff, a lesser percentage but more than 50 per cent worry about contractors and third parties, while privileged users are in the 30 per cent range.
They do appear to have different ideas about stopping unintentional risks by staff. Germans are more likely to limit the practices that can create unintentional risk — none are suggested, but I would think it would include limiting access to sensitive data — while American respondents prefered by a wide margin to monitor employees’ behavior, presumably through software.
However, at least two-thirds of both groups agreed in the importance of conducting frequent training and awareness programs with users on unintentional risks they may be taking. On the other hand, here’s alarming numbers: 19 per cent of Americans and 14 per cent of Germans agreed there is no way stopping unintentional insider risk.
Well, that’s true: If you stop 99 per cent of employee mistakes and one gets through it can be devastating to the organization. But a well-thought out mitigation plan should cover that.