The newly released global edition of the 2015 Vormetric Insider Threat Report presents the results of a survey of over 800 global IT decision makers, analysing international enterprises’ perceptions of information security threats with particular reference to insiders who, whether maliciously or accidentally, put their organisations at risk.
The report notes that the insider threat landscape is changing, and “now includes outsiders who have stolen valid user credentials; business partners, suppliers, and contractors with inappropriate access rights; and third-party service providers with excessive admin privileges.”
Several of 2014’s notable data breaches occurred because of insiders, and it seems that these high-profile incidents have affected global estimations of the scale of the threat: only 11% of respondents to Vormetric’s survey felt that their organisation was “not vulnerable to insider attacks” and some 34% said they felt their organisation was “very or extremely vulnerable”.
Other notable findings include:
- 40% of organisations experienced a data breach or failed a compliance audit in the last year.
- 89% of respondents felt that their organisation was now more at risk from an insider attack.
- 55% of respondents said privileged users posed the biggest internal threat to corporate data; 46% said contractors and service providers; 43% said business partners.
Insider threats and Cloud security
Concerns about insider threats are far higher in the UK than in many other countries. 40% of UK companies said they had suffered a significant data breach or failed a compliance audit in the last year, and 50% of UK organisations said they would increase their security and data protection spending in the year ahead.
Globally, the UK is the only country where the Cloud is perceived as being at the greatest risk of insider attack, reflecting the growing adoption of Cloud services in the UK and the volume of company data now held in the Cloud.
The importance of privileged access/identity management (PAM or PIM)
‘Privilege creep’ – where users incrementally gain access rights beyond their requirements, usually as a result of job changes – remains a serious issue for many. Only 58% of organisations are able to control privileged users, and only 56% monitor and audit privileged user activities. It is essential that all users’ access levels are appropriate to their job roles. Access control not only prevents the malicious use of privileges by a user, it protects networks from attack when users’ credentials are lost or stolen – as we saw at Sony last year when attackers gained unfettered access to the network through a set of stolen credentials, and Home Depot, where a third-party air conditioning supplier with excessive access rights was hacked.
The report notes that “a more holistic approach is needed to address immediate data breach protection requirements, while delivering security solutions that are capable of evolving to deal with the changing compliance agenda.” ISO 27001, the international standard for information security management, sets out the requirements of an enterprise-wide information security management system (ISMS) that addresses people, processes and technology.
An ISO 27001-compliant ISMS requires staff to be adequately trained, their access rights to be suitably controlled, and a best-practice approach to information security to be adopted throughout the organisation.
All staff can be made aware of their security obligations with IT Governance’s ISO 27001 staff awareness courses:
Our Information Security Staff Awareness E-learning Course aims to familiarise non-technical staff with information security policies and procedures, thereby reducing the organisation’s susceptibility to attack.
Our Information Security & ISO 27001 Staff Awareness E-learning Course enables employees to gain a better understanding of information security risks and compliance requirements in line with ISO 27001, the international information security standard.
If you’re concerned about your organisation’s susceptibility to insider security threats, you need to ensure that everyone in the organisation behaves responsibly. Click here to find out more about information security staff awareness e-learning or call us on 0845 070 1750 to arrange a free demonstration.