Survey Finds Well-Meaning Insiders Pose Security Threats

  • Dec 10, 2007

RSA, The Security Division of EMC, recently announced the findings of its recent insider threat survey. Conducted by RSA in early November, the person-on-the-street survey polled government and corporate office workers in Boston and Washington, D.C. on their work-related security behaviors and attitudes.

The results provide a snapshot of the everyday actions of trusted insiders who have access to sensitive data such as customer information, Social Security numbers, credit card data, company financials and intellectual property.

The results of the survey underscore that the risk posed to data by well-meaning insiders -- employees, contractors, suppliers, partners, visitors and consultants who have physical and/or logical access to organizational assets -- must be as closely managed as that posed by malicious insiders who deliberately leak sensitive data for personal financial gain or other criminal purposes. These "innocent" insiders can unwittingly create data exposures of extraordinary scope and cost through their ordinary, everyday behavior, whether through carelessness, working around security measures or following inadequate security policies.

The survey results indicate that trusted insiders may work around unmanageable security policies in order to get their work done. For instance, employees who don't have remote access may e-mail a document to their personal email address so they may work on it later from home - an action that violates most organizations' stated security policy. The survey found that:

  • 35 percent of respondents have felt the need to work around their organization's established security policies and procedures just to get their job done.
  • 63 percent of respondents frequently or sometimes send work documents to their personal e-mail address so that they can access them from home.

When trusted insiders work around security policies, usually no harm is intended. Regardless of intent, sensitive data can be exposed, subjecting the organization -- and possibly consumers -- to unnecessary risk. Organizations can mitigate this risk by developing information-centric policies that acknowledge and align with the needs and realities of the business. Once such policies are in place, companies should constantly measure actual user behavior against established policy and use what they learn to inform smart policy changes that minimize risk and maximize business productivity. When security is as convenient as possible for end users, they are less likely to work around security policy.

Not surprisingly, the survey results indicate that employees depend on remote access to corporate information while on the road, waiting at airports or working in coffee shops:

  • 87 percent of respondents frequently or sometimes conduct business remotely over a virtual private network (VPN) or Web mail.
  • 56 percent of respondents frequently or sometimes access their work e-mail via a public wireless hotspot (i.e. a wireless Internet connection at a coffee shop, airport, hotel, etc.).
  • 52 percent of respondents frequently or sometimes access their work e-mail via a public computer (i.e. a computer at an Internet cafe, airport kiosk, hotel, etc.).

Remote access to sensitive data calls for stronger authentication than a user name and password -- which can be easily and quickly defeated. Organizations can maintain the flexibility of remote access while protecting sensitive data by requiring two-factor authentication to VPNs and Web mail.

Additionally, companies can mitigate the risk of data loss in mobile environments by creating, monitoring, and enforcing information-centric policies.

"Organizations must understand the types of information their employees and other insiders need to access, determine the sensitivity of that information and then protect it with security measures commensurate with the associated risk," said Sam Curry, vice president of product management and product marketing at RSA. "Well-protected information is an asset that gives individual workers and organizations the confidence to achieve more."

The survey findings illustrate that for employees to be most productive and for information to be most valuable to an organization, information has to be free to move:

  • 65 percent of respondents frequently or sometimes leave their workplace carrying a mobile device such as a laptop, smartphone and/or USB flash drive which holds sensitive information related to their jobs (i.e. customer data, personally identifiable information such as Social Security numbers, company financials, credit card data, and competitively sensitive information such as product plans).
  • 8 percent of respondents have lost a laptop, smartphone and/or USB flash drive with corporate/organizational information on it.

While mobility is essential to business agility, unprotected information -- whether at-rest, in-motion, or in-use -- increases risk. Organizations can minimize the risk by reducing the use of sensitive and personally identifiable information wherever possible and protecting sensitive information wherever it is: in-use at personal endpoints, at-rest on corporate file systems and databases, and in-flight across corporate and non-corporate networks. Organizations may also consider establishing automatic control and enforcement actions -- to allow, audit, discard, quarantine or encrypt transmission -- based on the sensitivity of the data. Physical security is absolutely vital to overall security and yet, the survey findings reveal that sometimes people hold the door (and wireless network) wide open. The survey revealed that:

  • 34 percent of respondents have held a secured door open for someone at work they didn't recognize.
  • 40 percent of respondents have been let into the building by someone that didn't know them after forgetting their access card/key.
  • 66 percent of enterprise respondents said that their company provides a wireless network internally for use in conference rooms and guest offices. Of those who have such a wireless network, 19 percent reported that access to the network is completely open, no credentials required.

Physical access policies are not always adequate to guarantee that only authorized insiders are in the building. And even when physical access controls are working properly, not all people with legitimate access to the building should necessarily have access to an organization's information. To minimize risk, physical security controls should be coupled with logical access controls. Organizations can help protect sensitive data by implementing two-factor authentication to internal wireless networks, desktops, domains, ports and applications, and enforcing appropriate access controls.

Change is a constant in organizations. Every day, roles change within the company and contractors and consultants come and go. The survey results tell us that security updates sometimes lag behind:

  • 33 percent of respondents have switched jobs internally and still had access to accounts/resources which they no longer needed.
  • 72 percent of respondents reported that their company/organization employs temporary workers and/or contractors who require access to critical organizational information and systems.
  • 23 percent of respondents have stumbled into an area of their corporate network to which they believe they should not have had access.

Access to highly sensitive or personally identifiable information should be granted on a need-to-know basis. As such, organizations can reduce the risk of exposure by implementing role-based access to critical information. Companies should make certain that role changes -- including those of contractors and consultants -- are promptly reflected in access privileges. Finally, organizations can mitigate information risk by centrally and tightly managing insider credentials, including usernames/passwords, one time passwords and digital certificates, and developing watch lists to track and alert them to unauthorized access attempts.

The full report can be viewed at http://www.rsa.com/company/news/releases/pdfs/RSA-insider-confessions.pdf.

Featured

  • 2025 Gun Violence Statistics Show Signs of Progress

    Omnilert, a national leader in AI-powered safety and emergency communications, has released its 2025 Gun Violence Statistics, along with a new interactive infographic examining national and school-related gun violence trends. In 2025, the U.S. recorded 38,762 gun-violence deaths, highlighting the continued importance of prevention, early detection, and coordinated response. Read Now

  • Big Brand Tire & Service Rolls Out Interface Virtual Perimeter Guard

    Interface Systems, a managed service provider delivering remote video monitoring, commercial security systems, business intelligence, and network services for multi-location enterprises, today announced that Big Brand Tire & Service, one of the nation’s fastest-growing independent tire and automotive service providers, has eliminated costly overnight break-ins and significantly reduced trespassing and vandalism at a high-risk location. The company achieved these results by deploying Interface Virtual Perimeter Guard, an AI-powered perimeter security solution designed to deter incidents before they occur. Read Now

  • The Evolution of ID Card Printing: Customer Challenges and Solutions

    The landscape of ID card printing is evolving to meet changing customer needs, transitioning from slow, manual processes to smart, on-demand printing solutions that address increasingly complex enrollment workflows. Read Now

  • TSA Awards Rohde & Schwarz Contract for Advanced Airport Screening Ahead of Soccer World Cup 2026

    Rohde & Schwarz, a provider of AI-based millimeter wave screening technology, announced today it has won a multi-million dollar award from TSA to supply its QPS201 AIT security scanners to passenger security screening checkpoints at selected Soccer World Cup 2026 host city airports. Read Now

  • Brivo, Eagle Eye Networks Merge

    Dean Drako, Chairman of Brivo, the leading global provider of cloud-native access control and smart space technologies, and Founder of Eagle Eye Networks, the global leader in cloud AI video surveillance, today announced the two companies will merge, creating the world’s largest AI cloud-native physical security company. The merged company will operate under the Brivo name and deliver a truly unified cloud-native security platform. Read Now

Most   Popular

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.