Finance and HR employees represent the biggest cybersecurity threat to organizations of any department, according to new research from security firm Clearswift.
The messaging and web security vendor polled 500 data security specialists in the UK, US, Germany and Australia to compile its findings.
Nearly half (48%) of respondents claimed finance departments and their employees posed the biggest threat, versus 42% for HR.
The main reason for their answers was the fear of staff members in these roles accidentally sending customer details or salaries to the wrong people, or accidentally allowing malware to be installed on machines.
Just 16% said they thought those working in legal represented the biggest threat, indicating that HR and finance employees are thought to be culturally less attuned to cybersecurity risk.
Middle management (37%) was pegged as the highest risk group, compared with just 19% who thought senior managers were the biggest threat, and 12% for execs/admins.
Interestingly over two-thirds (67%) of respondents claimed that those working in the office represented a bigger data security risk than those off-site – primarily because they have easier access to the data.
Some 88% of companies questioned said they had suffered a security ‘incident’ over the past year, of which 73% were caused by employees, former employees or customers/suppliers, Clearswift said.
The vendor’s senior vice president of products, Guy Bunker, argued that firms must use a mix of people, policy and technology to lock down insider risk.
“It may sound obvious, but understanding what information you hold and how sensitive or critical it is, is the key place to start. Who has access and how it is accessed needs to be assessed before looking at technology to help mitigate the risks,” he told Infosecurity.
“One simple change could be for people working remotely to log into the network to work rather than take information home to work on.”
Successful information security should be about setting up “intelligent, adaptive, rules that can make decisions to protect critical information” as well as training staff correctly to spot suspicious activity, Bunker added.
“This needs to be supported with training for all employees from the top to the bottom of the organization – but tailored to specific department’s issues – to help them understand what data is sensitive and what is and is not acceptable when accessing and sharing that data,” he argued.
“Suppliers and those in the extended enterprise also need to be trained on your information security policies.”