Increasingly aware of the damaging nature of the insider threat, organizations are increasingly taking steps to enhance security measures. However, many continue to focus their efforts on the malicious insider instead of employee negligence—the leading cause of insider threats, according to a survey commissioned by Raytheon/Websense.
The Unintentional Insider Risk in United States and German Organizations Survey independently conducted by information security firm Ponemon Institute, polled 1,071 IT security practitioners in the United States and Germany. The survey found 70 percent of US survey respondents and 64 percent of German respondents report more security incidents are caused by unintentional mistakes than intentional and/or malicious acts.
Careless employees leave confidential documents in plain view, share passwords, bypass security procedures, become victims of phishing scams and transfer sensitive data to the public cloud without company approval.
“Maliciousness is tagged as the leading cause in insider threat discussions, but the impact of negligence cannot be overlooked,” said Ed Hammersla, president of Raytheon/Websense. “As the Ponemon study reveals, security incidents are caused by negligence which leads to a decrease in IT productivity.”
The report included respondents from the US and Germany to determine if cultural differences in the workplace would impact how German and US IT security practitioners manage insider threats. Both countries agree employee negligence not only severely diminishes the productivity of the IT function, it also causes more security incidents than intentional and malicious acts.
For example, the report stated IT security professionals “spend an average of almost three hours each day dealing with the security risks caused by employee mistakes or negligence,” and “almost two hours is wasted due to insider carelessness.”
However, one of the key takeaways of the report is that German and US respondents have very different perceptions about the unintentional insider risk. For example:
- German respondents are more likely to agree that their organizations do not have the necessary safeguards in place to protect their organization from careless employees;
- US respondents are more likely to agree their employees are not properly trained to follow data security policies and senior executives do not consider data security a priority; and
- German respondents are more likely to consider contractors and third parties a threat. US respondents are more likely to view the privileged insider as being negligent.
Not only do unintentional insiders pose a serious security risk, they are also a significant drain on an organization’s resources. The report stated unintentional employee negligence could cost a US company up to $1.5 million, and €1.6 million in Germany, for time wasted responding to security breaches.
Consequently, “If security incidents caused by employees’ sloppiness could be reduced, companies could save money,” the report noted.
In approaching the careless insider threat, German and US respondents utilize different approaches. Germans are more likely to limit the practices that can create unintentional risk and Americans prefer monitoring employees’ behavior.
“Workplace stress, multitasking, long hours and a lack of resources and budget are the biggest contributors to employee negligence,” Hammersla said. “Having programs in place that include a mixture of training, policy and technology are vital to addressing insider threats before they become a major issue.”