IT security still seems to be the responsibility of the IT department alone. One would think that the high-profile attacks on companies like eBay, Anthem and Sony would jolt senior management into action.
But stats show that the minds of those at the top of the organisation are elsewhere. According to research by IS Decisions, more than half of IT professionals believe that their senior management does not take enough responsibility for addressing internal security like employee training and file auditing to address the insider threat.
Currently, the IT department (80%) takes responsibility for insider threat in nearly twice as many organisations as the C suite (43%) does.
That is a worrying statistic when the threat that employees pose is one of the most potentially dangerous to a business.
Network perimeter defences, firewalls, anti-virus software and threat-detection software can only go so far – if employees fall for phishing scams, share their login credentials or continue to access to company files once they’ve left, the organisation is wide open to attack.
Think you’re safe?
Many organisations, especially smaller ones, believe that only large corporations are targets for attackers. Indeed, the government’s recent Cyber Streetwise campaign found that SMEs are putting a third of their revenue at risk because they’re falling for common misconceptions around cyber security.
That is an extremely worrying statistics when IS Decisions’ research shows that more than 1,190 internal security breaches occur in UK businesses every day. Considering that kind of volume, small businesses are clearly far from immune.
In many cases, the breach comes from a simple employee error like leaving a computer logged in, sharing a password over email with a colleague, or leaving a USB stick with sensitive information on a train.
All incidents can occur within any size of organisation, and any size organisation has sensitive or valuable information whether that be financial or personal.
But by addressing insider threat and IT security in general, organisations can do much more than just keep the business safe. The benefits of IT security stretch much further and can often indirectly improve other aspects of the business.
One IT professional, who wishes to remain anonymous, recently disclosed that his company managed to win £300,000 worth of business because his company’s security was much more secure than that any other company pitching for the same work.
That deal alone will have easily helped ease any IT security budgetary concerns that his company may have had, and may have even contributed to a nice Christmas bonus at the end of the year for staff.
While IT security can bring in the money, it can also stop organisations from having to pay out vast sums too. Target, which was hacked last year after an internal security breach, had to pay a $67 million fee to Visa as a result of the breach. If the C-suite didn’t take that much responsibility for the insider threat before the breach, it certainly does now.
Even consumers are taking more of an interest these days in the security of companies before making a purchase. In fact, as many as 80% of IT professionals believe that perception of security processes has a big part to play in a customer’s decision on what companies they choose to do business with.
Businesses are in danger of falling behind the competition if senior execs don’t take more responsibility for IT security. Over two thirds of UK IT professionals (69%) who are currently without an insider threat strategy will launch one this year. If an organisation doesn’t put one in place, its defences will be weaker than its competitors’, which is something it may come to regret when trying to secure its next big deal at work.
Revise IT security budget
With IT in the spotlight more than ever these days, senior executives must realise that IT security isn’t just about keeping the company safe. Security can actually help close deals, forge strong partnerships and remain competitive.
However, in terms of budget, senior execs are still reluctant to spend more addressing insider threat. While IT security budgets generally have grown about 15% over the last year, only around 18% goes towards internal security specifically. That means that just 3.6% of the overall IT budget goes towards addressing one of the most dangerous threats to a business.
This disproportionate spend highlights the need for businesses to re-evaluate where their budget is going on IT security. Addressing internal security doesn’t necessarily have to be expensive; it just needs to be done right by combining effective employee training with the right tools that stop employees from logging in to multiple locations concurrently and ensuring only the right people can access sensitive information.
On the training side of things, education needs to be engaging – not boring – otherwise employees will switch off and not learn anything. Why not introduce an IT security game that they can play in ten minutes, rather than an hour-long lecture, for example?
One of the most dangerous things organisations can do where the insider threat is concerned is doing nothing, but they can often wonder where to start with the insider threat. IS Decisions’ research shows that 50% of businesses consult analysts, 45% turn to industry reports and 33% evaluate national standards.
The crucial point in any insider threat programme is action.
Sourced from François Amigorena, CEO of IS Decisions