Missing the Threats Under Their Noses

Despite proof, companies show little awareness of security breaches by insiders and ex-employees.

System administrators and CIOs have little concept of the top threat to security, according to a survey released last week by eWeek and security vendor Camelot IT Ltd.

Despite personal experience and empirical evidence to the contrary, 57 percent of respondents who listed themselves as very concerned about network and privacy security issues said that outside attacks are a bigger threat to their networks than attacks from insiders.

In addition, 22 percent of the respondents to the Camelot Network Security and Privacy Survey said they were not concerned about unauthorized insiders having access to sensitive data.

These answers are even more perplexing considering that, of those who reported a security breach within the last year, 57 percent said the breaches were caused by inside users accessing unauthorized resources, while 43 percent blamed accounts left open after an employee has left the company.

Fully 21 percent of the respondents said their companies had been the victim of an attempted or successful break-in by an angry employee.

And with more and more companies laying off employees every week, these breaches are only going to get worse.

"Anyone who thinks that external security is their biggest problem isnt thinking," said David Thompson, a Boston-based security consultant and the former CIO at the Defense Advanced Research Projects Agency. "What harm is really done if someone defaces your Web site? None. But what if a customer gets access to another customers pricing information on your intranet? Then youre in trouble."

The survey was a poll of 548 eWeek subscribers, 47 percent of whom are either system administrators, IT managers/directors or CIOs/chief technology officers.

"Its clear that internal security is the No. 1 threat," said Ofer Gadish, executive vice president of technologies at Camelot, based in Haifa, Israel, with U.S. headquarters in New York. "But I think theres a gap between what people are afraid of and what they recall from past attacks. Awareness of Internet security is higher than that of internal security."

Another surprising result of the survey is the revelation that 49 percent of the respondents said they had no annual budget for maintaining or upgrading their network security system, and 16 percent didnt know whether they had such a fund.

In an environment where researchers discover new holes in software virtually every day, that kind of complacency is something most companies cant afford, industry experts say.