Forget cybercriminals – your own employees could be putting your company's confidential data at risk, a new study finds.
Employees with access to sensitive data – such as health care records, private company information, intellectual property or personal records — frequently put their organization's confidential information at risk, according to research from security firm Raytheon Co.
The study discovered that many employees with the highest levels of network permissions in organizations are often granted access to data and areas of the network not necessary for their roles and responsibilities. In addition, 65 percent of the professionals surveyed for the study said it's curiosity, not job necessity, that's driving these same individuals to access sensitive or confidential data.
"Our goal is to also help organizations understand that good people can make mistakes and put sensitive data at risk," said Jack Harrington, vice president of cybersecurity and special missions for Raytheon Intelligence Information and Services. "Even a well-intentioned, seasoned, privileged user with wide access to a network poses great risks because they are high-value targets to corporate 'hacktivists' and persistent adversaries eager to penetrate a company's defenses."
Nearly 50 percent of those surveyed said it's likely that malicious insiders would use social engineering —when employees are psychologically manipulated into giving up confidential information —or other measures to obtain someone's access rights. That compares to just 21 percent who said the same in 2011.
Moreover, 69 percent of the professionals surveyed said their security tools don't provide enough contextual information to determine the intent behind reported incidents, and 59 percent said their tools yield too many false positives.
[For a side-by-side comparison of the best antivirus software visit our sister site Business.com.]
"The results of this survey should serve as a wake-up call to every executive with responsibility for protecting company or customer sensitive data," Harrington said. "While the problem is acutely understood, the solutions are not."
Overall, 59 percent of those surveyed said access controls pose the greatest threat to general business information, followed by customer information, at 49 percent.
The research shows that a lack of background checks and small security budgets are two of the biggest contributing factors to insider threats. Specifically, 57 percent said background checks are lacking in most organizations before issuance of privileged credentials. Additionally, while 88 percent of those surveyed recognize enhanced security as a top priority, less than half of those have a dedicated budget to invest in enabling technologies to reduce insider threats.
"The goal of this survey is to not only share current insider threat statistics but to educate organizations on their privileged users and the threats and attacks that can happen because of the access they own," Harrington said. "If a privileged user wants to do bad things, their elevated access to the company network makes it easier for them."
The study was based on surveys of 693 "privileged users," which are defined as network engineers, database administrators, information-security practitioners and cloud custodians.