RSA: Insider Carelessness Cause Of Most Security Threats

It seems like cyber threats come from everywhere, but in reality, the greatest threat to any workplace will likely be from an insider and it will probably be an accident. A survey released today from RSA, the security division of EMC, indicated that the biggest threats in a workplace are often unintentional, often resulting from carelessness or ignorance of individuals within the organization or company.

"The plain fact of the matter is, a simple thing that we might not be aware of can expose risk," said Sam Curry, vice president of product management and marketing at Bedford, Mass.-based RSA. "In some cases, the bad guys are looking for those. There are certain social human behaviors that the bad guy can watch for and exploit."

The "person on the street" survey, conducted in November, anonymously polled government and enterprise workers in Boston and Washington D.C. in an effort to assess everyday behavior that had the potential to compromise security and put sensitive information at risk. While seemingly harmless or well-intended, these behaviors can subsequently initiate data exposure of extraordinary proportions, resulting in enormous financial loss.

"The real assets are data assets. It's all about information. Really what we've got to do is minimize risk around information," said Curry. "The bad guys are into fraud. They're very well funded, and they are extremely motivated to make money. You can reduce a lot of risk by taking away the innocent mistakes."

Some of these innocent mistakes are committed by individuals who circumvent security regulations just to get their jobs done. While the survey found that most companies provide training on security best practices, about 35 percent of respondents felt that they needed to work around their company's established security policies just complete their job-related duties. In addition, 63 percent of respondents said that they frequently or sometimes sent work documents to their personal e-mail address so they could complete their tasks at home, and more than half said that they have accessed their work e-mail from a public computer.

Changing insider roles also played a large role in compromising security. An overwhelming majority -- 72 percent -- reported that their company or organization employs temporary workers or contractors who require access to sensitive information and systems. Almost a quarter of respondents polled said they stumbled into an area of their corporate network to which they should not have had access, and 33 percent said they still had access to old accounts or resources after switching jobs internally.

At other times, trusting workers literally hold the door wide open for perpetrators. More than a third of respondents said they have opened a secured door for someone they didn't recognize at work, while 40 percent of workers said that someone else they didn't know let them into their building after they had forgotten their access card or key. And of the two-thirds of respondents that said their company provides a wireless network, 19 percent said that access was completely open, with no login credentials required

"The only surprising part is people actually admitted to [these behaviors] for a change," said Ken Phelan, chief technology officer for Gotham Technology Partners, a solution provider based in Montvale, N.J. "People don't recognize the scope [of accidental threats]. At first they don't want to hear about the scope of it."

The survey was conducted in an effort to increase awareness and hone comprehensive security strategies for business in order to minimize risk brought about by accidental and preventable, behaviors. RSA execs said that the survey was also intended as a starting point to open up risk-based conversations between partners and their clients.

"Massive damage is being done to brands. It can be devastating for a small company. If a law firm has had a breach, that can be devastating. They don't have to have 5,000 or more employees," said Chris Clinton, RSA director of worldwide channels.

"I think we've turned a corner here. There's an awareness inside companies. The message here is you can begin to affect your bottom line and do it in a way that's affordable," echoed Curry. "It's easier to have that conversation now than five years ago."

While survey results did not come as a surprise, partners still maintain that the survey provided a useful tool when speaking to clients about adopting a comprehensive security strategy.

"The greatest thing for me is to have a source to show them," said Phelan. "You can't just ostrich this. You can't just protect yourself with a strongly worded memo."