subscribe: Daily Newsletter

 

Careless users biggest security threat

0 comments

It’s an acknowledged fact that the majority of today’s organisations recognise that insiders, whether careless or malicious, pose a serious threat to their business security.

However, while many entities consider the insider threat to be the insider turned bad – a disgruntled employee willing and able to steal information to sell on to criminal organisations or the company’s competitors – this is only half the story, says Lutz Blaeser, MD of Intact Software Distribution, a partner of Bitdefender in South Africa.

“There is also a very real threat from the careless insider, an employee or other authorised user such as a contractor, who increases risks through careless or reckless actions such as clicking on a link in a phishing email, using dodgy websites for peer-to-peer sharing, or being careless with their password,” Blaeser says. “All behaviours we know to avoid, but too many are lackadaisical about these practices.”

Blaeser says a Splunk-sponsored IDC study released recently revealed that “account takeover as a result of the hapless user remains one of the primary vectors for security breaches in organisations.” However, IDC also came to the conclusion that traditional approaches to security do not address this risk properly.

The survey results are based on the answers from 400 organisations with over 1 000 employees based in the UK, France, Germany, Sweden and the Netherlands.

“There are several key findings from the research, but one of the most alarming is that the malicious insider threat is seen as being low. The majority of organisations do not think that a malicious insider threat is a top concern for their security operation. Only 12% reported it as being of major concern. At the same time, businesses said they are most concerned about fraud, data loss, and unauthorised access to data, all of which go hand-in-hand with a malicious insider.”

It follows then, says Blaeser, that there is the risk that CISOs will focus on the consequences of malicious insiders while the actual threat is limited. “Careless users are more of a threat to the business than their malicious counterparts. The majority of businesses are far more worried about threats such as viruses, APTs and phishing. Most of these types relate directly to another type of threat, namely accidental breaches enabled or caused by reckless users. However, due to the fact that businesses don’t think about these threats in this way, they focus on traditional perimeter-based security tools, which means that breaches caused by careless users are not prevented.”

Several businesses have no tools in place to identify the activity that leads to accidental breaches. “A mere 12% of companies use user-behaviour analytics to detect any anomalous behaviour that might be indicative of a breach of this nature. Some 27% of respondents do not even have basic methods of breach detection, such as log management, in place. There is also a seeming lack of appreciation for learning from previous incidents, which will only lead to mistakes being repeated.”

According to Blaeser, the majority of companies don’t have the tools, approaches or mindset needed to detect and respond to breaches as they happen. “Most European organisations are still employing tools and measures designed with the protection of a traditional network-based perimeter in mind. Firewalls and antivirus approaches are used everywhere, however, while these tools are still a vital part of the security chain, on their own, they are not enough in the age where breaches are inevitable.”

He adds that only a very few businesses have measures such as forensics investigation systems and analytics capabilities in place to identify incidents once they have occurred. “We understand that there is no silver bullet when it comes to protecting organisations from every careless user, and as good as today’s tools are, some bad stuff can still get through. This is why although defensive tools are absolutely vital, on their own they are insufficient. Corporates need to be able to identify and quickly react to incidents if they’re to have a hope of defending themselves against the plethora of dangers out there.”