Curious employees are biggest security risk

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/24282.html

By John Leyden
Posted: 04/03/2002 at 19:01 GMT

Forget about Internet crackers, employees are the biggest security
problem for most businesses.

That's the main conclusion of a survey of UK IT managers which
suggests that most firms are prepared for the threats posed by viruses
and hackers, but are still struggling to secure data on their own
networks.

Around half (51 per cent) of the respondents to the Oracle/Institute
of Directors-sponsored survey, said that internal security breaches
were a bigger threat to business than those originating outside their
companies. This belief was particularly strong among smaller firms.

Oracle quotes a study by the Computer Security Institute (CSI) which
concluded that the average insider attack cost the target enterprise
approx. $2.7 million, compared with $57,000 for the average outside
attack.

Oracle reckons firms need to switch their attention to securing data
on their networks from "curious" employees via measures such as
encryption and password protection.

This is easy enough, Oracle suggests, but "90 per cent of the time
businesses will not put these safeguards in place because of drains on
performance or other similarly weak excuses."

Ouch.

One in three of the 100 IT managers polled during the survey cited the
loss of customer confidence as the most damaging aspect of a security
breach. Downtime and loss of commercially sensitive information (both
23 per cent) were selected as the next most important. Credibility (14
per cent) and loss of revenue (7 per cent) were selected as the least
important factors.

In a worrying finding for the development of e-commerce, more than a
quarter (27 per cent) of respondents to Oracle study stated that
concerns over security had prevented them granting external customers,
suppliers or partners access to their Web site. This sentiment was
expressed most strongly by firms with a turnover exceeding £250m, the
study (conducted by IT research consultancy Vanson Bourne) discovered.

The survey reveals a certain amount of confusion among IT managers as
to where responsibility for security lay. While 32 per cent of
companies stated that a non-IT executive was in charge of security, 22
per cent said they had a manager whose remit was to deal exclusively
with security.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.