Layoffs prompt insider threat fears, cybersecurity survey finds

By Robert Westervelt, News Editor 11 Nov 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

Results from a new survey suggest IT professionals must be constantly vigilant in watching for employee reprisals against company systems, thanks to the uncertain economy and, in some cases, multiple rounds of layoffs.

The 12th annual Ernst & Young Global Information Security Survey of nearly 1,900 senior executives found that 75% of respondents were concerned with the possibility of reprisal from employees who have left their organizations. While many of those surveyed were concerned about malicious former employees, far fewer were doing anything about it. Less than half (42%) were weighing the risks and only 26% were taking steps to address insider threats.

The report, issued Tuesday, is the result of a survey conducted among senior IT professionals between June and August 2009. Ernst & Young conducted field interviews with executives in 60 countries. The report supports earlier industry surveys warning how the sluggish economy could result in increased threats, reduced budgets and delays on IT security projects at many enterprises.

Senior IT executives indicated they were under pressure to cut costs, relied on current security systems and struggled to attract and maintain skilled and trained information security talent. They said finding adequate budget for security initiatives will be a major challenge for the coming year.

"These are clear indicators that information security is not immune to external economic forces and must find ways to improve efficiency and effectiveness while keeping spending to a minimum," according to the report.

The result is a renewed focus on understanding potential threats and addressing them over time with a minimal investment in technology. Fifty percent of survey respondents indicated that they planned to spend more on security risk management, and 39% planned to spend relatively the same amount on this initiative over the next year. Meanwhile, regulatory compliance is taking a back seat, with 60% indicating spending would remain the same.

For those spending on new technologies, data leakage prevention (DLP) software and appliances seem to be the top choice. About 90% of those surveyed said they would spend either the same or more on DLP related technologies. DLP also ranked as the second-highest priority of organizations during the next 12 months, behind regulatory compliance activities. DLP focuses on employee behavior as it relates to data changes and movement in the environment. Companies can use the technology to detect policy violations by monitoring traffic. Some firms have found it to be an effective way to enforce security policies and user awareness programs.

Despite an increase in virtualization technology deployments as a result of the cost savings associated with pooling resources, senior IT executives didn't see it as a major security concern, according to the survey. Seventy-eight percent of respondents indicated they implemented virtualization, but only 19% said virtualization was a security priority.

"Clearly, our survey respondents do not recognize the same level of risk with virtualization as would be expected with such a significant and extensive change effort," the report stated. "More alarming is the fact that virtualization security should be a concern, but the majority of organizations and security leaders are ignoring its implications."

One recent survey by Nemertes Research indicated that companies are avoiding spending on virtualization security technologies until the market matures.

The survey also found senior IT executives perceived an increase in external and internal threats. Forty-one percent of respondents noted an increase in external attacks and 25% of respondents said they witnessed an increase in internal attacks. The concerns ranged from phishing and website attacks to employee privilege abuse and theft of proprietary data.

A number of security studies have documented a rise in Web-based attacks, fueled by an increase in employee use of social networks, blogs and Web applications. Others have documented the need for a greater emphasis on maintaining updated patches on employee productivity tools such as PDF viewers, media players and browser components, which include Flash and Java-based tools.

Compliance remained the top priority of enterprises. When asked about the importance of specific security activities, 46% of respondents indicated that complying with regulations was very important, with an additional 31% considering it important.

The report also found that compliance costs continue to rise; 55% of those surveyed indicated moderate to significant increases in compliance-related costs as part of overall security costs.

"This may be an indication that organizations are spending too much of their security budgets on demonstrating point-in-time compliance as opposed to implementing a comprehensive information security program where compliance is a by-product and not the primary driver," the report stated.

Tags: Data Protection Solutions and Strategy,  Security Policies and User Awareness,  Data Breach Incident Management and Recovery,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Security Policies and User Awareness Cloud-based services require stalwart business continuity plans Preventing phishing attacks: Enterprise best practices CISOs take measured steps to reduce social media risks Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Cut down on calls to help desk with cybersecurity awareness training How to write an information security policy Essential guide: Pandemic planning for H1N1 Data Breach Incident Management and Recovery Make PCI DSS compliance easier by reducing scope, outsourcing data Full disk encryption: Safer and easier than file and folder encryption PCI DSS requirements: Get ready for stricter enforcement, fines Data breach costs continue to rise in 2009, Ponemon study finds Data Protection Act breach could cost companies 500,000 pounds Jericho Forum to provide customers with good security questions to ask Verizon report goes deep inside data breach investigations Insider threat detection still a challenge for employers ArcSight boosts system log management capabilities Four hackers indicted in RBS WorldPay breach

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary