Security Profession blog
Comment and discussion about the security industry of interest to the security professional. Blogs will be submitted by (ISC)2's management team and Advisory Board members.
Tuesday 29 July 2008, 12:01 PM
Insider security threat not exaggerated
I was reading recently some research claiming that the insider security threat had been exaggerated: (http://www.verizonbusiness.com/resources/security/databreachreport.pdf). The report said that the majority of security threats are external and concluded that the insider threat is not the issue we have all long believed.
I think this is somewhat misrepresentation of the real truth. Security professionals have long claimed that the internal threat is the biggest security risk to company information, eclipsing even external breaches such as data leakage and malware. Contrary to this analysis, rather than exaggerated, I think it’s just been misrepresented. The threat of ‘insider’ security breaches is still very real. But rather than being malicious breaches of intention, it is more likely that most insider security breaches are accidental; a result of companies failing to adequately implement policies and validation controls or to educate staff about security policy.
Information security professionals need to assess what the risks are and where they may come from. Underestimating that real threat of internal security breaches is unwise. There are still lots of controls that security professionals should implement to stop the sorts of mistakes that really can, and do, impact security in order that they can, as a colleague of mine once said, stop clever people from doing dumb things.
John Colley, CISSP
Managing Director EMEA, (ISC)2
I think this is somewhat misrepresentation of the real truth. Security professionals have long claimed that the internal threat is the biggest security risk to company information, eclipsing even external breaches such as data leakage and malware. Contrary to this analysis, rather than exaggerated, I think it’s just been misrepresented. The threat of ‘insider’ security breaches is still very real. But rather than being malicious breaches of intention, it is more likely that most insider security breaches are accidental; a result of companies failing to adequately implement policies and validation controls or to educate staff about security policy.
Information security professionals need to assess what the risks are and where they may come from. Underestimating that real threat of internal security breaches is unwise. There are still lots of controls that security professionals should implement to stop the sorts of mistakes that really can, and do, impact security in order that they can, as a colleague of mine once said, stop clever people from doing dumb things.
John Colley, CISSP
Managing Director EMEA, (ISC)2
Previous
