83% of organisations suffered a data security incident last year: but focus is misguided with internal threats emerging as more significant danger than external threats.
Theale, UK 2nd May 2013: BYOD, cloud, collaboration and forthcoming EU legislation creating perfect storm conditions for security issues.
Clearswift, the global cyber-security company, today unveiled its latest research report, The Enemy Within 2013, identifying the extent to which internal security threats are affecting UK organisations, and how these are being managed. The Clearswift research has shown that improving and maintaining IT security remains a top three priority for 46% of organisations – and rightly so, as 83% of organisations had experienced some form of data security incident in the last year.
However it appears that their focus on the type of threat is misguided: many organisations are fixated on external security incidences, such as cyber-criminals and hackers - over two thirds (69%) of respondents named protecting sensitive data from outside threats as a key driver for them. When the reality is that 58% of respondents estimated that data security incidents within their organisations over the last year have come from across the extended enterprise – e.g. employees, ex-employees and trusted partners – compared with 42% attributing them to outside the organisation.
Perfect security storm conditions ahead
The internal threat - either by human error or malicious intent, lack of awareness of security policies and the use of personal devices on the corporate network - is fast becoming the enemy within. The increased uptake of ‘bring your own device’ (BYOD), cloud-based tools and the reliance on the extended enterprise to share information across global and diverse networks and with third parties are all building towards perfect security storm conditions ahead.
Guy Bunker, Senior vice president of products at Clearswift, commented, “These findings are a wake-up call to UK businesses. Internal threats don’t make the headlines quite as much as Far Eastern hackers, but must be taken more seriously by businesses as they are having a major impact on organisations far beyond the confines of the IT department.”
Identifying the enemy within & BYOD
So where are these internal threats coming from? Across the extended enterprise, 33% was attributed to employees, 7% were the result of ex-employees and 18% were due to errors incurred by third parties. A key factor to the security storm is BYOD which is proving to be an unstoppable force, driven by employees’ desires to use familiar equipment that will help them do their job better. The survey found that the top three BYOD threats are believed to be employee use of USB or storage devices to save company data, inadvertent human error (e.g. sending an email to the wrong recipient) and employees sending work-related emails via personal email accounts or devices. It is likely that the 7% of security breaches caused by ex-employees cited above were made possible by weak security measures around BYOD.
The proliferation of BYOD must be addressed in order to avoid further security incidents. However, only 31% of organisations are accepting or proactively managing BYOD – the rest are resisting and blocking access where possible (52%) or denying it altogether (11%). This is despite the belief by half (53%) of the respondents that users will continue to use their own devices on the network, whether it is sanctioned by IT or not.
Guy Bunker adds, “Any organisation that does not take BYOD seriously is simply setting themselves up for a fall. It must be recognised within the security policy or there will be repercussions for the business - compliance, regulation, financial costs in the form of hefty fines, as well as reputational damage of the organisation.”
Tackling the security challenges
Recent headline grabbing stories have ensured that cyber-attacks remain a concern for organisations and keep IT security high on the corporate agenda; however, 72% of respondents surveyed are struggling to keep up with changing security landscape. Despite this, 81% think all companies should be more forthcoming about reporting major security breaches and attempts – perhaps in recognition of forthcoming UK government and EU legislation to make companies publically share these incidences.
Heath Davies, CEO of Clearswift commented, “This research validates how much of a priority internal data security is for businesses; we know that it is a fast-changing environment and that organisations do struggle to keep up with the external, as well as the emerging internal threats. A comprehensive security plan will cover all of these and should be backed up with a visible and tangible security policy to ensure the enemy within is not afforded the opportunity to incur any financial loss or reputational damage to the organisation.”
Enemy Within Research
Please find further information on the Enemy Within Research below:
About the research
Clearswift commissioned research of IT decision makers in companies of various sizes in the UK in March 2013. Three hundred online interviews were conducted across three key sectors: defence/aerospace (100), local government (100) and finance/banking (100). The survey was conducted by Loudhouse Research, an independent research agency based in London.
Clearswift is an information security company that provides adaptive cyber solutions that enable organizations to secure their business critical data from internal and external threats.
Clearswift is has more than 3000 clients worldwide.
Headquartered in UK, Clearswift operates out of offices in, Australia, Germany, Japan and the United States. Clearswift has an extensive partner network across the globe.