UK companies are looking in the wrong place when it comes to potential cyber-security threats, with the focus on external attacks misplaced - the problem lies within.

BYOD Security Problems
A trader looks at computer screens during Spain's bonds auction in a broker's office in Barcelona June 21, 2012. (Credit: Reuters)

The world of cyber-security is a murky one. Populated by the devious-yet-inventive cyber-criminal; anonymous hacktivists and the all-seeing nation states, the job of protecting a company's vital systems from attack has never been tougher. However a new survey suggests the threat from all these actors is nothing compared to the threat from within your own organisation.

According to a report published on Thursday by UK cyber-security firm Clearswift, 58% of data security incidents over the last year have come from across "the extended enterprise" with employees, ex-employees and trusted partners to blame.

Despite this, many organisations are fixated on external security threats with 69% of organisations saying that protecting sensitive data from outside threats was a key driver for them.

The statistics come from a survey carried out by Clearswift during the month of March where three hundred people from within government, defence, aerospace, finance and banking organisations were interviewed.

Clearswift's research suggested that 83% of all organisations had "suffered a data security incident last year," but the situation is likely worse than this when taken across businesses as a whole in the UK.

According to a report published last week by the Department for Business, Innovation and Skills, 87% of small businesses and 93% of large businesses experienced at least one kind of security breach in the past year.

Guy Bunker, senior vice president of products at Clearswift, said: "These findings are a wake-up call to UK businesses. Internal threats don't make the headlines quite as much as Far Eastern hackers, but must be taken more seriously by businesses as they are having a major impact on organisations far beyond the confines of the IT department."

Fixing the problem

So where exactly do the problems arise? According to Clearswift's report 33% were attributed to employees, 7% were the result of security breaches by ex-employees and 18% were due to errors incurred by third parties.

The bring-your-own-device (BYOD) phenomenon is something which is adversely affecting companies' ability to secure their systems. "A key factor to the security storm is BYOD which is proving to be an unstoppable force, driven by employees' desires to use familiar equipment that will help them do their job better," Clearswift says.

The survey found that the top three BYOD threats are believed to be employee use of USB or storage devices to save company data, inadvertent human error (such as sending an email to the wrong recipient) and employees sending work-related emails via personal email accounts or devices.

It is likely that the 7% of security breaches caused by ex-employees cited above were made possible by weak security measures around BYOD.

Guy Bunker adds, "Any organisation that does not take BYOD seriously is simply setting themselves up for a fall. It must be recognised within the security policy or there will be repercussions for the business - compliance, regulation, financial costs in the form of hefty fines, as well as reputational damage of the organisation."

Head in the sand

While it is clear that this problem needs to be addressed the report found that companies are not doing enough to combat it. Only 31% of organisations are accepting or proactively managing BYOD, while more than half (52%) are resisting and blocking access where possible. Unfortunately 11% are simply putting their heads in the sand and denying the problem even exists.

This is despite the belief by more than half (53%) of the respondents that users will continue to use their own devices on the network, whether it is sanctioned by IT or not.

We are hearing about new cyber-attacks everyday and this creates a pressure all of its own for those charged with protecting a company's important intellectual property - with 72% of respondents surveyed saying they are struggling to keep up with the changing security landscape.