The survey showed that a third of the banks interviewed had suffered from internal attacks, while fewer than a quarter had experienced attacks from outside. In other words, the biggest dangers come from disgruntled or incompetent staff – rather than some Mr Big in the St Petersberg mafia.
So why is it we pay so little attention to the rights and privileges that we give users? For instance, why do so many companies struggle when it comes to closing down user access after an employee has left the organisation?
Compared with all the clever technologies we deploy to handle things such as intrusion prevention and network security, access management should be a piece of cake.
But it isn't. I've been asking all sorts of people about this, and most of them look embarrassed and mutter things like "It's just too hard. I mean, you have to get the whole company involved. And then who pays for ID management? Nobody wants to pick up the cost."
So we leave the problem, like the proverbial elephant in the corner of the room that no one talks about, and carry on with the projects that are easier to define. But the elephant is still there.
Three separate conversations in the past month have confirmed this impression.
Lee Farman, CTO of testing firm Acutest, hit the nail on the head, saying: "Companies waste a lot of effort on security. It's so easy to target what's easy to test. But they fail to look at staff risks or monitor processes properly."
In other words, we devote masses of effort to those areas that we enjoy or can define – usually technology-based – and then we leave huge holes in our defences.
In another conversation with some IT security chiefs at a dozen of the country's biggest organisations, I heard much the same story. "Our biggest problem is we give people too many access privileges," admitted one of them. But assigning proper privileges and access to different applications seemed to be too hard to implement, for some reason.
Full confirmation of this problem came from the head of the Metropolitan Police's Computer Crime Unit, when I asked him what's keeping him busy these days. "Disgruntled former employees with sys-admin privileges," he replied.
And finally, if the insiders don't get you, then it'll be some third-party supplier you hadn't thought of. Last month, Citigroup managed to lose unencrypted tapes it had entrusted in New Jersey to a UPS delivery truck. Now it's switched to using encrypted data transmission. About time.
Ron Condon is editor-in-chief of SC Magazine