PCWorld takes a look at a new report from Forrester (“Understand The State Of Data Security And Privacy: 2013 To 2014“) that finds the biggest security threats to companies comes from insiders accidentally misusing their data access (but there’s also the threat of insiders deliberately abusing their access privileges, as well):
Forrester recently released its Understand the State of Data Security and Privacy report, which offered insight on the reasons behind data breaches, with internal threats emerging as the leading cause. The survey—which featured respondents from Canada, France, Germany, the U.K., and the U.S. from companies with two or more employees—also covered other topics, including how security budgets are being allocated and the changing landscape of security teams’ responsibilities.
According to Forrester’s research, insiders take the cake as the top source of breaches in the last 12 months, with 36 percent of breaches stemming from inadvertent misuse of data by employees. Obviously, the issue here is ignorance; the study’s numbers indicate that only 42 percent of the North American and European small and midsize business workforce surveyed had received training on how to remain secure at work, while only 57 percent say that they’re even aware of their organization’s current security policies. […]
It’s also important, however, that the business has some amount of visibility to what’s happening on its networks, given that 25 percent of respondents said that abuse by a malicious insider was the most common way in which a breach occurred in the past year. While a lot of security focus is on looking outwards and what’s coming in, [Heidi Shey, a Forrester analyst and the author of the report,] said, there also needs to be some attention being paid to looking inwards and seeing what’s going on within the company and what’s going out.
There could be, for example, someone who has employee level access to segments of the network so everything they do looks like employee activity. As such, companies often aren’t looking at something like that even though it could be suspicious. […]
Since some of the solutions, like data leak prevention, are not a silver bullet, Shey recommended a more holistic approach to security by using a data control framework. Things like data leak prevention and encryption are useful for data protection, she said, but they’re very tactical. “You need to be more strategic on a higher level,” she said. “That’s where this kind of framework comes in.”