Internal security threats are mainly accidental
IDC study shows that greater number of internal security threats come from accidents than from deliberate attacks
The risk and losses from security accidents by insiders outweighs the threat from malicious insiders, but IT organizations are still aiming their efforts at preventing malicious internal threats, according to new research by IDC.
The study, which was sponsored by RSA, showed that more security incidents were caused by accidents or carelessness by insiders than by malicious insider attacks, and the financial impact was greater.
Unintentional data loss through employee negligence was the most common threat, while the greatest financial impact was caused by out-of-date or excessive privileges and access control rights for users. Other internal incidents include the accidental spread of malware and spyware.
While 40% of organizations surveyed said they would increase spending on security to address internal threats, the investment risks being put into the wrong areas as companies look to prevent malicious losses, said RSA.
"Internal risks are growing and to remain competitive, CxOs must change the way they defend their business and expand security priorities to address the heightened need for protection from risk both intentional and accidental from an insider. CxO's must adopt a holistic strategy to mitigating insider threat that focuses on protecting critical information from misuse, leakage and loss by internal users, whether accidental or deliberate," said Ahmed Abdella, regional manager, Middle East, North & West Africa, RSA.
The survey found that 52% of insider threats were perceived as accidental, against 19% that were thought to be deliberate, although where security incidents involved contractors and temporary staff, rated as the highest risk of internal threat, 82% of CxOs said they did not know if incidents were deliberate or not.
In total, the 400 respondents questioned reported a total of over 57,000 internal security incidents over a period of 12 months. The average annual financial loss from insider risk was nearly $800,000 in the IT Outsourcing industry
The survey also highlighted that while almost all of those surveyed were responsible for their organization's security, 82% were unclear on the source of their company's insider risk and could not accurately pinpoint or quantify the nature of the financial impact.
"Employers view their relationship with employees as one of trust and recognize their people are their biggest asset," said Chris Christiansen, Program VP, Security Products of IDC. "But, the vast nature of an organization's infrastructure, coupled with a dispersed, often global employee base, and complex internal user mix of employees, consultants, partners and outsourcers make addressing the risks posed by its internal users the biggest security challenge that CXO's currently face: whether the risk is intentional or not, it's there. It's real."