It’s well known that insiders pose a significant threat to enterprise security.
Many enterprises consider the insider threat to be the insider gone wrong - someone willing and ready to steal data to sell to competitors or criminals. But that’s not the only risk case when it comes to insiders. There’s also the real risk of what IDC calls the “hapless” user, which is an insider, such as an employee, contractor, or other authorized user, who increases information security risks by carelessness. This could be inadvertently clicking on a phishing email, using a rogue wireless network, visiting dangerous places such as websites or peer to peer sharing, sharing passwords – all the bad computer hygiene most of us know we should avoid, but many don’t.
A study released last week, conducted by IDC and sponsored by Splunk, found that “account takeover as a result of the hapless user remains one of the primary vectors for security breaches in organizations.” But IDC concluded that traditional approaches to security don’t adequately address this risk.
The survey results are based on the querying of 400 organizations with more than 1,000 employees based in the U.K., France, Germany, Sweden and the Netherlands. Key findings from the study:
- The malicious insider threat is perceived as low. Most companies do not think that a malicious insider threat is a primary concerns for their security operation. Only 12% reported it as being of high concern. Yet companies also say they worry most about fraud, data loss, and unauthorized access to data, all of which are associated with a malicious insider. There is therefore a risk that CISOs focus on the consequences of malicious insiders while the actual threat is limited.
- Hapless users pose more of a threat than malicious insiders. Most organizations are much more concerned about threat types such as viruses, APTs and phishing. The majority of these types relate directly to another type of threat: that of accidental breaches enabled or caused by hapless users. But because organizations do not think about these threats in this way, most focus on traditional perimeter-based security measures. This means that they are looking in the wrong places to detect attacks and avoid breaches caused by hapless users.
- Some organizations have no approach to detecting the activity that leads to accidental breaches. Only 12% of organizations use user-behavior analytics to detect anomalies. 27% of respondents do not use basic methods of breach detection (e.g., log management). There is also an apparent lack of appreciation for learning from previous breaches, meaning that mistakes are destined to be repeated.
- Most organizations do not have the technologies, approaches or mindset to detect and respond to breaches once they occur. The majority of organizations across Europe are still using technology primarily designed to protect a traditional network-based perimeter. Firewalls and antivirus approaches are near-ubiquitous but, while these technologies are still necessary, they are no longer sufficient in an era of the inevitable breach. Yet organizations seem unprepared to detect breaches after they have occurred. Only a small minority of organizations have tools such as forensics investigation systems and analytics capabilities (user behavior analysis and anomaly detection) to detect breaches after they have happened.
We know that there’s no way to protect the enterprise against every “hapless” action a user may take. And as good as anti-malware and security defenses are, some stuff will get through, especially if users do things that make systems vulnerable. So, breaches are going to happen. That’s what makes IDC’s last point the most important: while defensive technologies are absolutely essential, they are not enough. Enterprises need the ability to identify and quickly respond to data breaches if they’re going to defend themselves against malicious criminals, ill-intended insiders, and even the hapless user who clicks on phishing emails.