Most organizations have gaping security holes when it comes to protecting themselves against insider threats, according to a SpectorSoft survey of 772 IT security professionals.
Nearly a third (32 percent) of respondents said they have no ability to prevent an insider attack, while 52 percent of respondents cannot size the potential damage, and 44 percent do not know what they are spending to address the threat.
Although almost three-fourths of respondents (74 percent) are concerned primarily with employees, whether malicious or merely negligent, 44 percent of respondents said they don’t know how much they currently spend on solutions that mitigate insider threats. Similarly, 45 percent don’t know how much they plan to spend on insider threat technology in the next 12 months.
"I think the key first step businesses with smaller IT budgets can take to improve their insider defenses is to not use limited resources as an excuse. There are no-cost and low-cost, both in terms of dollars and effort, steps that all businesses can take," Mike Tierney, chief operating officer of SpectorSoft, told eWEEK. "Improved internal communication between HR and IT costs nothing, but goes a long ways toward making sure that IT is able to react to elevated insider risk stemming from circumstances that only HR is aware of – like financial hardships, performance plans, and other personnel issues that can lead to disgruntlement."
Tierney said having access controls in place to limit employee access to critical data is essential. Native tools can help accomplish the task without significant investments, he noted.
As awareness of data loss increases, more organizations are starting to understand the importance of incident response plans, with 69 percent of respondents indicating that they currently have one in place.
However, of those companies, more than half said their plan doesn’t incorporate special provisions for insider threats. That means 66 percent of respondents either do not have an insider response plan or have no incident response plan at all.
Causes behind these security gaps are numerous, with respondents citing lack of training, lack of budget and lack of internal staff as the three most significant reasons for lack of insider threat defenses.
In addition to budget and staffing woes, 28 percent of all respondents claim that insider threat detection and prevention is not even a priority in their organizations.
"I believe insider threats will continue to increase until investment in the solutions, processes, and people needed to combat them catches up with the growing awareness of the problem," Tierney said. "Insider threats are typically more damaging than external, because the insider has been given access and knows exactly what they are looking for. They are typically harder to detect, for the same reasons. I believe increased investment is critical, but should not be done at the expense of perimeter defense. Robbing Peter to pay Paul won’t work here."