Rogue Employees: The Biggest Threat to Information Security

BYOD Security Problems — A trader looks at computer screens during Spain's bonds auction in a broker's office in Barcelona June 21, 2012.

While cyber-weapons, sophisticated phishing attacks and state-sponsored espionage grab all the headlines in the cyber-security world, it has been revealed that the biggest threats to your company's integrity lies much closer to home.

A poll of 79 attendees at last week's Infosecurity Europe 2014 by the British Standards Institution (BSI), found that 37% of respondents said the biggest threat to information security was rogue employees, higher than cyber-attacks (19%) and bring your own device (15%).

Suzanne Fribbins, risk management expert at BSI, said: "It's no surprise to see insider threats as the biggest risk to information security as employees will always be the one thing that cannot be controlled.

"Employees don't necessarily have to be malicious to put a company at risk; they may just not understand the possible risks associated with their actions. Research has shown that effective staff training can halve the number of insider breaches, by ensuring employees understand the importance of information security and their role in protecting businesses critical information."

Insider threat

Speaking to IT Security Guru, Tom Cross, director of security research at Lancope, said that it is important to differentiate the different classes of insider threat, as some insider threats come as a consequence of employee negligence, such as someone leaving a laptop with sensitive information on an airplane, or someone setting up a development website on the internet with real customer data.

"These are by far the most common causes of sensitive data loss by organisations," he said. "In other cases, malicious employees intentionally steal information. Of course, employee credentials or computer systems are sometimes compromised by external attackers. Each of these three categories of insider threat: negligent insiders; malicious insiders; and compromised insiders, require distinct responses within an information security program."

The survey also found that 52% of respondents had implemented an internal information security policy, while 47% had provided staff training.

Employee training

Asked if he expected training to be adopted by many more respondents, Cross said that employee training can have a huge impact on all kinds of insider security threats, and training is the most effective means to combat employee negligence that results in data loss.

"However, it also helps if the organisation puts thought into how to 'keep honest people honest' by ensuring that good information handling practices are the also the path of least resistance for getting work done in the organisation," he said.

"For example, it helps to have fake datasets available for developers to use in creating new applications so that they don't have to work with real data in development environments that haven't received full security testing.

"Training can also have an impact on certain compromise vectors like spear phishing. Although some employees will not respond to training, others will, and often a sharp eyed employee can be your first indicator that a sophisticated attacker is attempting to use spear phishing to compromise your organisation."

Certified

Finally, the survey found that 29% of respondents are either certified or operating in compliance (34%) with ISO 27001, while a further 23% indicated they were looking to certify in the immediate future.

Cross said: "Compliance frameworks like ISO 27001 can help you organise your information security program and explain the actions you are taking to management as being consistent with best practices. However, robotic compliance with standards should not be the driver of your information security efforts, as inevitably a minimal effort to meet standards compliance will leave important gaps in your defences. You should focus on protecting the organisation first by addressing the most important attack vectors, and then align those efforts to standards as a secondary step."

"In order for an information security management system to be effective, adequate resources have to be allocated, and roles and responsibilities for information security need to be clearly defined," said Fribbins.

"We have found organisations that implement ISO 27001 can better identify threats to their information security and put in place appropriate controls to manage and reduce risks."

Dan Raywood is editor of IT Security Guru.