Today, those who steal data from the outside also usually steal the headlines. Witness recent mega-hacks at some very well-known firms:

  • Electronics corporation: criminals accessed, stole and reused usernames and passwords from nearly 100,000 accounts stored on third-party servers
  • Social media site: encoded passwords for 6.5 million (one out of 25) users were filched and openly posted to a Russian hacker site
  • Internet company: hackers broke in and publicly revealed more than 400,000 usernames and passwords

But is there a bigger security story to be told, in which outsiders get no ink?

Trend Micro recently commissioned the Ponemon Institute to get the scoop on threats posed by company insiders.

Human risk factors exposed

In a revealing study entitled “The Human Factor in Data Protection” researchers surveyed 709 IT and IT security practitioners (manager level and above), with some surprising—and not so surprising results.

Surprising because, despite all the headlines and years of dire admonitions from IT folk, many employees (consultants and others with privileged access) apparently don’t think about or know how to properly safeguard data.

Some of the diciest practices routinely being engaged in, according to the report, include:

  • Regular sharing passwords with others
  • Not encrypting laptops, portable media or other mobile data-bearing devices
  • Connecting computers to the Internet through an insecure wireless network
  • Using personally owned mobile devices that connect to their organization’s network
  • Reusing the same username/password combo for many different sites

Smaller business, bigger risks

Perhaps not so surprisingly, researchers also uncovered a greater prevalence of human factor risks among small to medium sized businesses (SMBs), compared with enterprise-sized organizations. In every risk factor category polled, SMBs fared worse than their larger counterparts–as high as 19% worse, in such basic breach prevention measures as:

  • Credential management (changing usernames/passwords frequently)
  • Deleting spammy or suspicious email attachments
  • Avoiding websites deemed by management as ‘off limits’
  • Secure, responsible use of social media
  • Masking computer screens in public venues
  • Deleting unused data files and performing regular backups

Staying off the evening news

Headlines constantly remind us why businesses—large and small—need to be proactive and intentional about deterring outside threats. But, as the study shows, internal policies and practices may also need attention.

Ponemon experts suggest these measures to mitigate insider risk:

  • Increase security awareness. Spend more time educating employees (and anyone with insider access) about breach prevention and security best practices.
  • Audit your policies. Regular reviews of data protection and governance policies can expose previously hidden gaps and vulnerabilities. Update policies to require immediate reporting of a lost or stolen laptop or mobile device.
  • Neutralize the social media threat. Create or strengthen policies that explicitly govern the use of social media at work.
  • Review credentials. Ensure that those who have privileged data access really need it, and regularly remind users of their personal charge to handle data responsibly.

Poet Alexander Pope reminds us that to err is human. With greater security awareness and training, companies can reduce the risks that human errors cause. And that’s good news for everyone.

Do you think threats posed by negligent or malicious insiders rival those that come from the outside? Why or why not?