A glance inward on cybersecurity inadequacy


computer_s640x427The usual focus of cybersecurity efforts on external threats to an  organization and its mission overlooks the central, powerful danger – the inside  threat.

“Corporations don’t take their internal security as seriously as they  should,” explains Alex McGeorge, senior security researcher at Florida-based Immunity,  a provider of specialized offensive information technologies.

McGeorge goes on to emphasize the importance of protecting a corporation from  internal threats, explaining, “The attack surface inside of a network is always  greater than outside, when you expose that kind of surface to anyone the  potential for damage is higher and the potential for detection is lower. With  very few exceptions it isn’t difficult to get on the inside of a corporate  network if you’re physically proximate to the corporation.”

A new survey titled ‘Boardroom Cyber Watch 2013,’ conducted as an  online survey by IT Governance, indicates that the outside threat-centric focus  of organizations fails to provide a holistic security posturing, specifically  from the threat within.

The survey notes:

  • More than half of respondents say that the greatest threat to their  company’s data and computer systems in fact comes from their own employees.
  • A quarter of respondents say their organization has received a concerted  attack in the past 12 months. However, the true total may be higher, as over 20  percent are unsure if their organization has been subject to an  attack.

Compounding these survey results is the reality that these numbers likely  belittle the true extent of the problem at hand.

“The survey asking if respondents have been the target of a concerted cyber  attack within the last 12 months is interesting in that it exposes the naïveté  of the participants,” explains McGeorge, who in addition to being a senior  security researcher, has an extensive background in systems administration and  network and security engineering.

“The reality is that for an organization of any reasonable size, say over 100  people, someone in that organization has been compromised within the last 12  months. Given what we know about how humans use computers and how bad they are  at compartmentalizing that usage, we can safely say that business relevant data  was exposed.”

The ‘safe’ assumption that McGeorge observes indicating that the level of  corporate information exposed by internal employees demonstrates that  supposition and reality are clearly not aligned. Undeniably, it’s a far cry from  the mere 25 percent of participants in the IT Governance survey who acknowledge  a yearly cyber attack.

James Thomas, an analyst at Fairfax-based Information Security Society, underscores McGeorge’s  observations and the results of the IT Governance survey regarding insider  threats with tangible statistics.  Thomas notes, “In 2012, of all the  reported large scale corporate and government breaches, roughly two-thirds of  those with an accounted for cause were attributable to insider threats,  including insider theft, negligence, data on the move, and sub-contractors,”  adding, “Only 27.4% of the reported breaches were known to be attributable to  external threats.”

It seems clear and in accordance with the preponderance of evidence,  including the new survey results, that the centrality of the insider threats  remains a largely unaddressed vulnerability with the business cost factors  increasing and the threat elusively ubiquitous.

To compound matters and reaffirm the substantive notion of the insider threat  is the final parting takeaway that reminds us that the challenge remains, as it  has for years – largely underappreciated and inadequately addressed.   Nevertheless, understanding the landscape of the insider threat and the  frequency of cyber attacks is only the beginning. The misallocation of corporate  funds has clear repercussions and implications for an organization’s customer  base and primary clientele.

To that end and to make matters worse, the failure to accurately understand  the cyber threat both externally and internally has led to the poor allocation  of funds within organizations. In fact, as the IT Governance survey purports,  “over 40% of respondents say their company is either making the wrong level of  investment in information security or are unsure if their investment is  appropriate.”

In the end, the targets and those most likely to fall prey to insider threats  are not only failing to act; they are acting ineffectually. It would appear that  the inept are leading the blind and the insider is poised to continue to pilfer  and plunder unabated in near perpetuity

To read other articles from the Washington Times Communities, please visit HERE.

About these ads

One thought on “A glance inward on cybersecurity inadequacy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s