How much attention should CISOs pay to insider risks?

A survey conducted for a vendor is making the rounds on news sites this morning that suggests infosec pros should be paying more attention to the threats from negligent or careless insiders than attacks from outside the firewall. However, I think the results should be looked at more closely.

The study of 1,071 IT and security practitioners in the U.S. and German was conducted by Ponemon Institute and paid for by Raytheon|Websense to see  if cultural differences in the workplace explain how they manage risk.

Asked if more security incidents are caused by unintentional mistakes than intentional and malicious acts, 70 per cent of Americans agreed, compared to 64 per cent of Germans.  But almost half in both countries — 49 percent of U.S. respondents and 44 percent of German — said they can’t tell the difference between security incidents caused by employees who are careless and those who are malicious. Those who say they can differentiate between maliciousness and negligence, say it represents an average of 70 percent (U.S. respondents) or 63 percent (German respondents) of all insider security incidents.

The survey also found that German respondents are more likely to agree that their organizations do not have the necessary safeguards in place to protect their organization from careless employees (54 percent of Germans agree and 46 percent of U.S. respondents agree). Respondents in the U.S. are more likely to agree their employees are not properly trained to follow data security policies and senior executives do not consider data security a priority.

What to make of this? Given the high number of attacks that start with staff clicking on an attachment that downloads malware, I’m surprised that more IT pros don’t think security incidents are likely caused by accident rather than deliberate acts. On the other hand, think of the number of successful attacks that exploit unpatched software (servers, Flash, SQL databases) — and whose fault is that?

In both countries at least two-thirds of IT pros say the biggest security risk due to negligence comes from ordinary staff, a lesser percentage but more than 50 per cent worry about contractors and third parties, while privileged users are in the 30 per cent range.

They do appear to have different ideas about stopping unintentional risks by staff. Germans are more likely to limit the practices that can create unintentional risk — none are suggested, but I would think it would include limiting access to sensitive data — while American respondents prefered by a wide margin to monitor employees’ behavior, presumably through software.

However, at least two-thirds of both groups agreed in the importance of conducting frequent training and awareness programs with users on unintentional risks they may be taking. On the other hand, here’s alarming numbers: 19 per cent of Americans and 14 per cent of Germans agreed there is no way stopping unintentional insider risk.

Well, that’s true: If you stop 99 per cent of employee mistakes and one gets through it can be devastating to the organization. But a well-thought out mitigation plan should cover that.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web