We hear a lot these days about the gathering threats of cyberspace, where outside entities use software flaws, hijacked computers and social engineering to strike at company networks. But for many of those who participated in the 2011 CyberSecurity Watch Survey, malicious insiders are the greater cause for concern.
Of the 607 respondents who participated this year, 58 percent said most of attacks they experience are caused by outsiders without authorized access to network systems and data, compared to 21 percent who cited malicious insiders -- employees or contractors with authorized access. But 33 percent said insider attacks are more costly -- up from the 25 percent who said so last year.
Meanwhile, respondents said, insider attacks are becoming more sophisticated, with a growing number of insiders (22 percent) using rootkits or hacker tools compared to just 9 percent a year ago. Such tools are increasingly automated and easily available.
Not only are insider attacks financially costly, but they do additional damage that's often hard to quantify and recoup, the survey report said. Damage to an organization's reputation, critical system disruption and loss of confidential or proprietary information are the most insidious problems, respondents said.
Among the other findings in this year's survey:
- Twenty-eight percent of respondents have seen an increase in the number of attacks.
- Unintentional exposure of private or sensitive information has significantly declined since 2010 (31 percent in 2011 vs. 52 percent in 2010).
- The largest category of concern from a supply chain standpoint is with third-party vendors (55 percent in 2011 vs. 49 percent in 2010).
- Respondents are also concerned with contractor awareness (49 percent) and software awareness (42 percent).
- Cyber attacks from foreign entities has doubled in the past year, from 5 percent last year to 10 percent in 2011.
Joji Montelibano, who works in the CERT Insider Threat center at the Carnegie Mellon Software Engineering Institute, sees a silver lining in this year's numbers. "What's encouraging is that the cost of damages from insiders has decreased," he said. "Sixty-seven percent called it costly last year, but this year it's down to 46 percent. We'd like to think the right controls are being implemented and doing some good."
Indeed, respondents pointed to several steps they've taken to reduce their risk exposure. Sixty-five percent are providing more cybersecurity awareness training for employees and implementing internal monitoring tools like data loss prevention (DLP).
Eighty percent are using access management, 69 percent have deployed intrusion detection systems, 65 percent use vulnerability management tools and 64 percent use identity management technology. Since 2010, the biggest swing in implementation is vulnerability management systems, which grew to 65 percent from 48 percent last year.
"Organizations are becoming more strategic in how they prevent and respond to cybersecurity events such as the advanced persistent threat," said Ted DeZabala, national leader of Deloitte's Security & Privacy services.
But the news here isn't as cut and dry as it may look on first glance.
DeZabala noted that while the survey suggests the annual monetary losses from events have dropped from $395,000 in 2010 to $123,000 per organization in 2011, the shift in numbers may be the result of organizations associating incidents to different domains such as privacy and fraud rather than traditional cybersecurity.
Whatever the case may be, CSO Publisher Bob Bragdon said employees and the technologies they use are the best line of defense against cyber attacks and risk. "The continued effort to empower employees to recognize risks, and the process to report or deter a problem, has been a reason why organizations are more prepared for these attacks and there is optimism that the evolution of preparedness will continue," he said.
More than 600 respondents, including business and government executives, professionals and consultants, participated in this year's survey -- a cooperative effort between CSO, the U.S. Secret Service, the Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte. It was conducted from Aug. 16 to 30, 2010.
An email invitation with a link to the survey was sent to CSO magazine readers/site visitors plus the members and partners of the U.S. Secret Service's Electronic Crimes Task Forces.