“The genie of company data,” Guy Bunker, Senior vice president of products at Clearswift, suggested to Infosecurity, “is out of the bottle. In the old days,” he explained, “company data sat on a server in the data center protected by access control and perimeter defenses. Now its everywhere.” He was explaining the findings of the Clearswift report, The Enemy Within: an emerging threat, which seeks to quantify a known but not really understood contemporary issue: the insider threat.
Clearswift had commissioned Loudhouse “to identify the extent to which internal security threats are affecting UK organizations and, in turn, how these are being managed.” The result shows an anomaly: while company and media discussion – and company spend – is focused on external threats from hackers and malware, more than half of all security incidents (58%) can be attributed to the wider insider family: employees (33%), ex-employees (7%) and customers, partners or suppliers (18%). One of the biggest problems, suggests Bunker, is the way business is conducted today – anywhere, anytime, any device: the BYOD phenomenon.
“End user expectations,” says the report, “combined with their desire for greater flexibility and autonomy, has seen organizations attempt to empower employees whilst balancing their security priorities.” But the IT department is struggling. Eighty-seven percent of IT leaders (93% in the finance industry) believe the use of new technology requires constant change and evolution within security policy; but 72% admit to difficulty in keeping up.
“The survey shows,” Bunker told Infosecurity, “that companies are realizing that BYOD presents a risk, whether it’s from mobile devices attached to the network, or USB and other secondary storage or services people put data on, and which then goes walkabout.” But many companies simply do not know how to handle this risk. Only 31% of organizations are accepting or proactively managing BYOD – the rest are resisting and blocking access where possible (52%) or denying it altogether (11%). This is despite the belief by half (53%) of the respondents that users will continue to use their own devices on the network, whether it is sanctioned by IT or not. “Even where there is a policy,” added Bunker, “it probably covers around only 20% of the things that it needs to cover.”
The problem is that security traditionally defends devices and perimeters – but with the proliferation of BYOD, cloud, social networks and multi-user collaboration, there is no longer a perimeter to defend, and the devices cannot always be protected. “It doesn’t require the user to have any malicious intent,” said Bunker, “he or she could simply lose it and there’s a breach in the offing.” The solution, he suggests, is to get down and dirty with the information itself: to understand what information is sensitive or confidential together with the context in which it is sensitive and confidential, and to secure the information in context. That way, it doesn’t matter whether the threat is internal or external, because what matters – the information – is secured.