Theale, UK – Thursday, 3 September 2015. Finance and HR departments, and the people working in them, represent the biggest information security threat to business, according to global data security professionals. Nearly half, 48% said finance departments posed a security threat to their organisation, and 42% said the same of HR (40% and 48% respectively for UK respondents).
The research, by data loss prevention company Clearswift, gathered views from over 500 data security specialists in the UK, USA, Germany and Australia.
These concerns relate to the potential for mistakes by employees in these departments such as sending salaries or customer details to the wrong people, or by inadvertently installing malware, of the type suspected to be behind last year’s eBay attack which exposed millions of customer passwords.
The reason is partly because these departments have access to very sensitive data. However, the results suggest cultural factors also make people in these departments a higher risk. Legal and compliance, which have access to equally sensitive data, were considered a much lower risk (only 16% expressed security concerns).
The research also showed mid-career professionals were a higher risk. 37% of respondents said middle management represented the biggest threat, compared with 19% for senior management and 12% for executives/admins.
Perceived risk was lower for older employees, but 28% said those aged 35-44 were most likely to be behind malicious data theft.
Heath Davies, Chief Executive at Clearswift, says: “Senior managers are generally in tune with the consequences of data loss, whilst junior people often don’t have access to the kind of data that can cause disasters.”
“Middle aged, middle managers are in between – having access to the data but no obvious stake in the consequences of losing it. They are also more likely to be under time and financial pressure, and so may be more inclined to take risks. This makes them more likely to make mistakes or even succumb to foul play”.
An overwhelming 79% said men were more of a worry than women. Davies says “this perhaps suggests women are perceived as more cautious, however it could also imply that men are perceived to be more likely to be involved with handling sensitive data.”
67% said those working on site were more of a risk than those working remotely. “Despite all the security worries about people working out of the office on whatever devices they want, those in the office actually have easier access to sensitive data, so are more likely to lose it” explains Davies.
Data breaches are most likely to come from inside the business. 88% of companies questioned had experienced a security incident in the last 12 months, of which 73% were from people they knew: employees, past employees or customers/suppliers.
Security professionals estimated 53% of the workforce is in a position where they might cause an accidental security breach, whilst 5% are seen as having the potential to cause a malicious one.
Davies concludes: "We're not proposing targeting individuals, but if you can understand the combination of factors that make certain people in certain roles more of a risk, you can focus your resources on ensuring those breaches don't happen. For example, you could provide tailored security training or put in more sophisticated layers of security around particular segments of the business."
“Cyber security has a constantly changing field of play, balancing security with the freedom to collaborate. We live in a complex, changing world and threats will be different in different parts of the organisation. By pairing detailed knowledge and understanding with adaptive security technology, you can create a win-win security game-plan to help you combat insider threats: locking down your sensitive data while keeping business moving.”
Notes to editors:
This data was taken from research conducted by technology research firm Loudhouse on behalf of Clearswift. Over 500 IT Decision makers and 4000 employees were polled to gauge the level of threat from insiders.