WASHINGTON, May 10, 2014 — The usual focus of cybersecurity efforts on external threats to an organization and its mission overlooks the central, powerful danger – the inside threat.
“Corporations don’t take their internal security as seriously as they should,” explains Alex McGeorge, senior security researcher at Florida-based Immunity, a provider of specialized offensive information technologies.
McGeorge goes on to emphasize the importance of protecting a corporation from internal threats, explaining, “The attack surface inside of a network is always greater than outside, when you expose that kind of surface to anyone the potential for damage is higher and the potential for detection is lower. With very few exceptions it isn’t difficult to get on the inside of a corporate network if you’re physically proximate to the corporation.”
A survey titled ‘Boardroom Cyber Watch 2013,’ conducted as an online survey by IT Governance, indicates that the outside threat-centric focus of organizations fails to provide a holistic security posturing, specifically from the threat within.
The survey notes:
- More than half of respondents say that the greatest threat to their company’s data and computer systems in fact comes from their own employees.
- A quarter of respondents say their organization has received a concerted attack in the past 12 months. However, the true total may be higher, as over 20 percent are unsure if their organization has been subject to an attack.
Compounding these survey results is the reality that these numbers likely belittle the true extent of the problem at hand.
“The survey asking if respondents have been the target of a concerted cyber attack within the last 12 months is interesting in that it exposes the naïveté of the participants,” explains McGeorge, who in addition to being a senior security researcher, has an extensive background in systems administration and network and security engineering.
“The reality is that for an organization of any reasonable size, say over 100 people, someone in that organization has been compromised within the last 12 months. Given what we know about how humans use computers and how bad they are at compartmentalizing that usage, we can safely say that business relevant data was exposed.”
The ‘safe’ assumption that McGeorge observes indicating that the level of corporate information exposed by internal employees demonstrates that supposition and reality are clearly not aligned. Undeniably, it’s a far cry from the mere 25 percent of participants in the IT Governance survey who acknowledge a yearly cyber attack.
James Thomas, an analyst at Fairfax-based Information Security Society, underscores McGeorge’s observations and the results of the IT Governance survey regarding insider threats with tangible statistics. Thomas notes, “In 2012, of all the reported large scale corporate and government breaches, roughly two-thirds of those with an accounted for cause were attributable to insider threats, including insider theft, negligence, data on the move, and sub-contractors,” adding, “Only 27.4% of the reported breaches were known to be attributable to external threats.”
It seems clear and in accordance with the preponderance of evidence, including the new survey results, that the centrality of the insider threats remains a largely unaddressed vulnerability with the business cost factors increasing and the threat elusively ubiquitous.
To compound matters and reaffirm the substantive notion of the insider threat is the final parting takeaway that reminds us that the challenge remains, as it has for years – largely underappreciated and inadequately addressed. Nevertheless, understanding the landscape of the insider threat and the frequency of cyber attacks is only the beginning. The misallocation of corporate funds has clear repercussions and implications for an organization’s customer base and primary clientele.
To that end and to make matters worse, the failure to accurately understand the cyber threat both externally and internally has led to the poor allocation of funds within organizations. In fact, as the IT Governance survey purports, “over 40% of respondents say their company is either making the wrong level of investment in information security or are unsure if their investment is appropriate.”
In the end, the targets and those most likely to fall prey to insider threats are not only failing to act; they are acting ineffectually. It would appear that the inept are leading the blind and the insider is poised to continue to pilfer and plunder unabated in near perpetuity.
Follow Tim’s updates on Twitter @CyberTimbo.