Most insider-related security breaches go unreported, according to a
survey by the Ponemon Institute in the US.
The main reason it happens is because companies don't have the
resources to tackle the issue, according to the National Survey on
Managing the Insider Threat, backed by ArcSight, an enterprise security
management company in California.
The survey, of 461 people working in US corporate IT departments, found
that many respondents found it difficult, if not impossible, to identify
all data breaches that exist. In addition, 79% of the respondents said
that one, if not more, insider-related security breaches at their
companies just go unreported.
That is because there is a view that if it's insider-related, that
normally involves a careless or negligent, but not evil, employee, and
because people know each other, they’re more likely to say it was a mistake.
Approximately 93% of respondents believe that the number one barrier to
addressing the data breach risk is the lack of sufficient resources.
Another factor is that no single person has overall responsibility for
managing insider threats, according to 31% of respondents.
The respondents said they devote a considerable amount of their efforts
to trying to prevent or control insider threats. Approximately 10% said
they spend more than half of their time on insider-related risks, and
about 55% of respondents said they spend more than 30% of their time
dealing with those issues.
More than 61% of the survey respondents said that accidental data leaks
occur "frequently" or "very frequently" because employees or contractors
lack sufficient knowledge about preventative measures or because employees
or contractors are simply careless.
The figures on inside threats have spread much confusion among users.
One oft-quoted statistic, that 70% of all cyber attacks on enterprise
systems are perpetrated by trusted "insiders” has largely been discredited.
However, turning a blind eye to a breach because an employee has ‘only’
been careless or negligent seems to be a case of familiarity breeding
This was first published in September 2006