Employers in denial about insider threat to data security

Although insider threats to data security remain a serious problem, the word apparently hasn’t made it up the corporate food chain in the UK.

Survey results released recently by the UK office of network security provider LogRhythm, headquartered in Boulder, Colo., found that nearly half (44 percent) the 1,000 employers polled said they trusted their employees not to access confidential documents or steal data from them.

More than a third of the sampling (37 percent) conceded that their workers might engage in those practices but would “like to think not.”

Those employers may be a little naive about their workforces.

A study released earlier this year by Symantec and the Ponemon Institute of 3,500 workers worldwide revealed that half of them regularly emailed business documents to their personal accounts, a third confessed to moving work documents to unapproved file sharing apps and 40 percent stashed work files on their mobile devices.

“The big issue with that is that the majority of the people don’t delete any of the data that they move,” Robert Hamilton, director of product marketing at Symantec, told CSO. “It’s a pretty significant problem.”

He said employees need more education about data ownership. “It’s not that people are bad and they’re out to rip off their employers,” Hamilton said. “They think they have an ownership stake in this information, and they’re inclined to take it in the absence of somebody telling them not to.” 

The great trust that the employers place in their workers may explain why nearly a third of them surveyed by LogRhythm (31 percent) said they don’t need to deploy any systems to stop employees from accessing confidential information or removing it from their companies.

[Also see: The three types of insider threat]

Another 16 percent of the firms surveyed confessed they didn’t have data access security systems in place because they hadn’t gotten around to it, and another 28 percent had them in place but said they weren’t effective or not enforced.

Most organizations have access control systems in place, but those systems are becoming increasingly ineffective in protecting data, said LogRhythm founder and CTO Chris Petersen.

Five years ago, most of a company’s data was going to be on a file server, locked down with permissions and rights management, he explained. “Today, you’re looking at environments where your data is everywhere,” he said in an interview. “It’s mobile and those access control models have started to break down.”

“An organization can have the tools to control access,” Petersen said. “But they’re useless because their data is out of control.” 

Protecting data from access by former employees didn’t seem to be a priority of the firms either. A third of the respondents in the LogRhythm survey (33 percent) declared they didn’t regularly change passwords to prevent ex-employees from accessing company websites or documents, and another 28 percent confessed they didn’t adopt the practice, although they knew they should.

“Employees pose the greatest risk to a company’s data,” said Michael DuBose, who leads the cyber investigations practice at Kroll Advisory Solutions, and the former head of the cyber crimes division in the U.S. Department of Justice.

“There’s been a lot of recent attention to Chinese hackers and state-sponsored cyber theft,” said DuBose. “All of that is important. It’s significant.”

“But, I think it’s important that companies not lose sight of the fact that, notwithstanding that threat, the vast majority of cases involving stolen trade secrets or proprietary data still originate with company insiders,” he said.