October 13, 2008
The Insider Security Threat in I.T. And Financial Services: Survey Shows Employees’ Everyday Behavior Puts Sensitive Business Information at Risk
BEDFORD, Mass., Oct. 13 /PRNewswire/ -- RSA, The Security Division of EMC , today announced the findings of its latest insider threat survey, conducted among attendees at industry events in North America and Latin America in the spring and summer of 2008.
The survey polled 417 individuals - including delegates at the RSA Conference - who confessed to their work-related security behaviors and attitudes. The survey respondents work across a range of industries, with a heavy concentration within the financial and technology sectors. Almost half of the respondents' job functions were in information technology. During this era of well-publicized data breaches, the results indicate that even those who should know better are not exempt from the everyday behaviors that can trigger significant risk to sensitive business information.
Of the respondents polled: -- 46% work in the financial services sector -- 20% work in the technology sector -- 46% are IT professionals -- 11% are executives -- 54% work in companies with more than 5,000 employees. People do as they will, regardless of awareness of best security practicesThe results of the survey show that employees are well aware of the restrictions placed upon them by their corporate IT departments, yet many often work around these controls in order to get their jobs done in a convenient and timely manner.
Of all respondents polled: -- 94% are familiar with their organizations' IT security policies, yet 53% have felt the need to work around IT security policies in order to get their work done. -- In response to a separate question, 64% frequently or sometimes send work documents to their personal email address in order to access and work on them from home. -- At the U.S. event, this statistic decreased to 50%, but increased to 62% at the Mexico event and 71% at the Brazil event -- 15% have held a door open for someone at work that they did not recognize -- The Brazil event reported the best figures at 7%, followed by 16% at the Mexico event. By contrast, the results from the U.S. event revealed almost one in three insiders (31%) have let a stranger into their workplace.
When trusted insiders work around security policies, sensitive data can be exposed that places businesses and their customers - often consumers - at unnecessary risk. Organizations can greatly mitigate this risk by developing information-centric security policies that acknowledge and align with the needs and realities of the business. This can help guard the integrity and confidentiality of information throughout its lifecycle--no matter where it moves, who accesses it or how it is used. In tandem, organizations should build-in more convenient, invisible, and layered security technologies that can reduce the factors that cause employees to break the rules and defeat their own company's security policies.
Remote access to sensitive information: random and unprotected
In a mobile world, the survey affirms that employees depend on remote access to corporate information when outside the office, whether at home or in public places.
Of all respondents polled: -- 89% frequently or sometimes conduct business remotely over a virtual private network (VPN) or webmail -- 58% frequently or sometimes access their work email via a public computer, and 65% frequently or sometimes access their work email via a public wireless hotspot
Remote access to sensitive data requires stronger forms of authentication than a simple, static and vulnerable combination of a username and password. To help solve this problem, organizations can maintain the flexibility and convenience of remote access to VPNs and webmail by providing one-time passwords via a hardware token, or a software token that is easily accessible on mobile devices such as BlackBerry(R) smartphones.
Information can be a moving target - and portable data is regularly mishandled
The survey findings show that, in order for employees to be most productive, information has to be free to move. However, employee mobility increases the collective responsibility of protecting the information that is carried outside of the organization.
Of the respondents polled: -- One in 10 has lost a laptop, smartphone and/or USB flash drive with corporate information on it -- The Mexico event reported the highest incidence of exposed corporate data, with a staggering 29% of all respondents confirming that they had lost a laptop, smartphone and/or USB flash drive; the U.S. event had the lowest figures, at 5% -- 79% frequently or sometimes leave their workplace carrying a mobile device containing sensitive information related to their jobs, such as a laptop, smartphone and/or USB flash drive
While mobility is essential to business agility, unprotected information - wherever it is kept or stored - increases risk. A policy-based approach to securing data helps to enable organizations to classify their sensitive data, discover that data across the enterprise, enforce controls, and report and audit to ensure compliance with policy.
"Data loss prevention is a key concern for those in charge of today's corporate networks and information assets. However, with the sheer portability of information that we have today, it is essential that that data is governed not by the whims and day-to-day actions of your employees, but rather by pre-determined policy and subsequent controls," said Tom Corn, Vice President, Data Security, at RSA. "In this way, organizations can prevent sensitive information from being written to a USB flash drive in the first place - or at least mandate that it is encrypted."
Making sure the right users have access to the right information
Organizations are dynamic and individuals' roles often change within the organization - be it an employee's internal move to a different job function or an outside consultant who moves on after the completion of an engagement. However, the governance of the corporate network does not always stay in lockstep with these moves.
Of all respondents polled: -- 43% had switched jobs internally and still had access to accounts/resources which they no longer needed -- The Mexico event reported the best results with 30%, followed by the Brazil event at 42%. However, at the U.S. event, one out of every two respondents (50%) still had access to unnecessary areas of their corporate systems. -- 79% reported that their company employs temporary workers and/or contractors who require access to critical organizational information and systems -- 37% have stumbled into an area of their corporate network to which they believe they should not have had access
Access to highly sensitive data should be granted only to those who need it, and in some job functions access to only very specific areas within the information infrastructure are necessary. Organizations can manage large numbers of users while enforcing a centralized role-based security policy that ensures compliance, protects enterprise resources from unauthorized access and makes it easier for legitimate users to do their jobs.
"The survey reveals that it is as important for businesses to diligently enforce information security controls and policies focused on protecting the everyday actions of well-meaning, innocent insiders as it is to enforce those designed to defend against those with malicious intent," said Christopher Young, Senior Vice President at RSA. "It remains clear that businesses need to take a layered approach to security to help mitigate the insider threat and keep data safe. As such, it is important for any organization to know who has access to your information; control access through policy; monitor for suspicious activity to verify user identities; create and enforce data security policies and controls; and transform real-time event data into actionable compliance and security intelligence."
For a report of the full 2008 survey findings and recommendations, please view The 2008 Insider Threat Survey: Workers Admit to Everyday Behavior That Puts Sensitive Information at Risk
The 2008 Insider Threat Survey by RSA, The Security Division of EMC, was taken by 417 attendees at three industry events in three countries within North America and Latin America:
-- RSA Conference U.S. (April 7-11; 134 respondents) -- Demystifying the Payment Card Industry Standard: Routes to PCI Compliance, Mexico City (May 28; 44 respondents) -- CIAB 2008 Brazil (June 11-13; 239 respondents)
RSA's November 2007 Insider Threat Survey respondents were government or office workers polled on the streets in Boston and Washington D.C. Both the 2007 and 2008 survey respondents were employees, contractors, partners, visitors and consultants who have physical and/or logical access to organizational assets, and each survey contained the same questions.
RSA, The Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the world's leading organizations succeed by solving their most complex and sensitive security challenges. RSA's information-centric approach to security guards the integrity and confidentiality of information throughout its lifecycle - no matter where it moves, who accesses it or how it is used.
RSA offers industry-leading solutions in identity assurance & access control, data loss prevention, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit http://www.rsa.com/ and http://www.emc.com/.
RSA is a registered trademark or trademark of RSA Security, Inc. in the U.S. and/or other countries. EMC is a registered trademark of EMC Corporation. The BlackBerry and RIM families of related marks, images and symbols are the exclusive properties and trademarks of Research In Motion Limited.
CONTACT: David Seuss, RSA, The Security Division of EMC Corporation,+1-781-515-6279, email@example.com; or Heather Milne of OutCastCommunications, +1-215-875-8138, firstname.lastname@example.org, for EMC Corporation
Web Site: http://www.emc.com/http://www.rsa.com/