Survey: Most insider-related data breaches go unreported

Computerworld - Most insider-related security breaches go unreported, according to a new survey by Ponemon Institute LLC in Elks Rapids, Mich.

The main reason that happens is because companies don't have the resources to tackle the issue, according to the National Survey on Managing the Insider Threat, sponsored by ArcSight Inc., an enterprise security management company in Cupertino, Calif. Ponemon Institute surveyed 461 people who work in corporate IT departments in U.S. organizations.

"We found that many of the respondents in our study found that it was difficult, if not impossible, to identify all data breaches that exist -- and over 79% of the respondents said one, if not more, insider-related security breaches at their companies go unreported," said Larry Ponemon, chairman of Ponemon Institute. "Because it's insider-related normally, involving a careless or negligent employee [and] not an evil employee, maybe they are more likely to go unreported because people know each other, and maybe because people know each other, they say it was a mistake and maybe in the future they'll fix it."

Lack of resources and leadership makes it difficult to address the insider threat, said Ponemon, who is also a columnist for Computerworld.

Approximately 93% believe that the No. 1 barrier to addressing the data breach risk is the lack of sufficient resources, and 80% cited a lack of leadership, he said. Another factor is that no one person has overall responsibility for managing insider threats, according to 31% of respondents.

The respondents said they devote a considerable amount of their efforts to trying to prevent or control insider threats as part of their company's IT security risk management program. Approximately 10% said they spend more than half of their time on insider-related risks, and about 55% of respondents said they spend more than 30% of their time dealing with those issues, according to the survey.

"The effort should be focused on things that cause the most heartburn," Ponemon said, noting that while information security practitioners are spending a lot of time on insider threats, they are generally doing so after the fact.

Ponemon said that careless or negligent employees represent the highest risk to the companies that took part in the survey. In contrast, systems administrators and other privileged users represent a much lower insider risk to organizations, he said.

According to the respondents, the average cost of managing the insider threat is about $3.4 million annually and the estimated amount that a company spends to manage such threats is less than $1 million. That suggests that companies are underfunding the management of insider-related risks and vulnerabilities, Ponemon said.

More than 61% of the survey respondents said that accidental data leaks occur "frequently" or "very frequently" because employees or contractors lack sufficient knowledge about preventative measures or because employees or contractors are careless. Almost half of respondents, or 48%, claimed that corporate sabotage, such as the deliberate destruction of IT equipment, occurs "frequently" or "very frequently" because employees or contractors are malicious or disgruntled.

Read more about security in Computerworld's Security Knowledge Center.