RSA highlights insider threat confusion

Most chief security officers are misdirecting their focus on malicious insider security incidents when the majority of insider threats are committed accidentally by staff and trusted third parties, according to new research commissioned by RSA Security.

Analyst firm IDC interviewed around 400 IT decision makers globally for the survey, and found that the majority were unsure of the sources of internal risk and struggled to quantify the impact in financial and business terms.

Just over half thought that most insider threats were accidental, compared to 19 percent who believed them to be deliberate.

However, 82 percent were unable to specify whether incidents arising from contractors and temporary staff were accidental or not.

Many respondents said that threats such as the spread of malware from within the enterprise was a major concern, but the largest number of incidents came from unintentional data loss though employee negligence, while the incidents that had the most impact involved out-of-date privileges and inappropriate access rights.

Chris Young, senior vice president at RSA, argued that to mitigate the risks of insider threats, especially those which might have been caused with no malicious intent, organisations must take a risk-based approach to information security.

"Companies need to take an information risk approach and not an infrastructure protection approach. This requires enterprise-wide policies on protecting information and categorising risk," he said.

"The chief security officer needs to make sure that only the right people have access to the right information, although there is always a balance between security and convenience."

Young also stressed the importance of coupling this strategy with comprehensive education and awareness-raising programs so that "security is everyone's job".