Insiders are the greatest threat to companies' security

Published 12 March 2008

There is a 72 percent likelihood that the next successful attack on your company will come from an insider, says IBM Tivoli executive

The recent scandal at French bank Société Générale has highlighted, if such highlighting was necessary, how vulnerable companies are to insider threats, speakers said Tuesday at the European Computer Audit Control and Security Conference in Stockholm. “Despite all the press and focus on hacking and viruses, there is a 72 percent likelihood that the next successful attack will come from an insider, according to statistics from ISCSA Labs,” said Marne Gordan, GRC market manager at IBM Tivoli. Because such users are already on the inside they can cause a lot of damage, and go undetected for a long time. Reasons for users turning on their employers include financial gain, curiosity and good old-fashioned revenge, according to Gordan.

Monitoring for such abuses is a very sensitive subject because no one likes to think of co-workers as criminals. “It’s something you have to do, and be very open with what you do — not monitor your employees in secret,” said Urs Fischer, vice president and head of IT governance and risk management at SwissLife. Insiders, however, are not only a threat, they are also a company’s first line of defense. “It’s very important to listen to users, but at the same time you have to look out for personal rivalries,” said Gordan. It’s also important to try to work on improving loyalty, according to Fischer. “Working with the HR department is a good idea. Companies can, for example, use training to improve loyalty, and make employees ready for the day they leave,” he said.

As with security in general, there is no technological silver bullet, or revolutionary method, to protect against insiders who want to do harm. Training, which should include contractors and be repeated on a regular basis, is one thing that can mitigate internal security risks. Companies also have to monitor for strange behavior, defend against malicious code, be able to defend against remote attacks, carefully manage accounts and keep logs to see what’s going on. “Companies are doing the right things, but they need some fine tuning,” said Gordan.