[ISN] Curious employees are biggest security risk

From: InfoSec News (isnat_private)
Date: Tue Mar 05 2002 - 00:18:03 PST

  • Next message: InfoSec News: "[ISN] Web server defense drafted"

    By John Leyden
    Posted: 04/03/2002 at 19:01 GMT
    Forget about Internet crackers, employees are the biggest security
    problem for most businesses.
    That's the main conclusion of a survey of UK IT managers which
    suggests that most firms are prepared for the threats posed by viruses
    and hackers, but are still struggling to secure data on their own
    Around half (51 per cent) of the respondents to the Oracle/Institute
    of Directors-sponsored survey, said that internal security breaches
    were a bigger threat to business than those originating outside their
    companies. This belief was particularly strong among smaller firms.
    Oracle quotes a study by the Computer Security Institute (CSI) which
    concluded that the average insider attack cost the target enterprise
    approx. $2.7 million, compared with $57,000 for the average outside
    Oracle reckons firms need to switch their attention to securing data
    on their networks from "curious" employees via measures such as
    encryption and password protection.
    This is easy enough, Oracle suggests, but "90 per cent of the time
    businesses will not put these safeguards in place because of drains on
    performance or other similarly weak excuses."
    One in three of the 100 IT managers polled during the survey cited the
    loss of customer confidence as the most damaging aspect of a security
    breach. Downtime and loss of commercially sensitive information (both
    23 per cent) were selected as the next most important. Credibility (14
    per cent) and loss of revenue (7 per cent) were selected as the least
    important factors.
    In a worrying finding for the development of e-commerce, more than a
    quarter (27 per cent) of respondents to Oracle study stated that
    concerns over security had prevented them granting external customers,
    suppliers or partners access to their Web site. This sentiment was
    expressed most strongly by firms with a turnover exceeding 250m, the
    study (conducted by IT research consultancy Vanson Bourne) discovered.
    The survey reveals a certain amount of confusion among IT managers as
    to where responsibility for security lay. While 32 per cent of
    companies stated that a non-IT executive was in charge of security, 22
    per cent said they had a manager whose remit was to deal exclusively
    with security.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 03:57:39 PST