Complacency and low levels of security awareness are contributing to a major insider threat facing UK organizations today, according to new research from Cisco.
The networking giant interviewed 1000 employees to uncover their attitudes towards information security and the IT department’s role.
It found that, often unintentionally, staff are becoming a big part of the problem.
Just over half (58%) were aware of security threats and the risk they pose to corporate information, while 39% said they thought it was the company’s responsibility to protect data.
More worrying still is that almost two-thirds (62%) said they thought their behavior only has a low to moderate impact on security and a half (48%) claimed they weren’t bothered about their corporate security policy as it didn’t affect their role.
Interestingly, twice as many said they were more careful about data security at home (24%) than at work (12%).
Privacy watchdog the Information Commissioner’s Office (ICO) has been forced on frequent occasions to fine organizations for data handling lapses which usually stemmed from employee error.
A report from consultancy IT Governance in November last year claimed the ICO has handed out £2.17m in fines over the past 22 months as a result of breaches of the Data Protection Act (DPA).
One third (32%) of all incidents came as a result of personal or sensitive data being inappropriately disclosed or sent to the wrong recipient by staff – the biggest single factor in the data breach incidents it investigated.
Cisco UK cyber security director, Terry Greer-King, argued that industry or government-led initiatives designed to bring organizations together and help them share information and best practices are a key step to tackling external and internal threats.
“We’ve seen huge growth in establishing communities centered around the sharing of threat intelligence, and crucially best everyday practice and processes,” he told Infosecurity by email.
“It is time though to encourage personal responsibility with regard to risks online. People have had millennia to learn about risks in a physical world but only a few years in a digital world. Whilst organizations and government can take on even more responsibility it is the duty of all of us to become more risk aware. We connect digitally in all aspects of our lives.”
Organizations can also use technology to help model and monitor user behavior and flag anything anomalous, in a bid to reduce the insider threat.
“As ever this is not a 100% guarantee, but technology to provide contextual network access exists and should be deployed,” he argued. “Implemented well this also helps in empowering good users to make more efficient use of services.”