According to a Cyber-Ark's Trust, Security and Passwords report, 18% of IT managers surveyed said that they had cases of insider sabotage or IT security fraud at their workplace. Also, 16% of C-level executives believe that competitors may have received sensitive information or intellectual property from sources within their own organizations.
The report, which surveys 1,422 IT managers and C-level professionals, highlights the need for organizations to do a better job at securing access to sensitive information within the organization, Bosnian told Infosecurity. There needs to be a security “bubble” around the privileged accounts that contain sensitive information, he stressed.
“The door that [hackers] use to gain access to sensitive or critical information very often is a privileged account or an account where they can escalate their privileges”, Bosnian observed.
Bosnian said that organizations need to “stop throwing money at the macro problem and look at it from the bottom up perspective.” He cited statistics from the Boston-based 451 Group that organizations spend $7 to $8bn annually on perimeter security products that often prove ineffective.
A related issue to internal network security is the problem of “snooping” by insiders who have access to privileged accounts. According to the survey, 28% of North American respondents admitted to gaining access to information on a system that was not relevant to their company role, while 44% of European respondents admitted to the same.
In addition, 20% of North American respondents and 31% of European respondents said that they or one of their colleagues used an administrative password to access information that was confidential or sensitive.
Close to half of respondents said that the IT department was the most likely to snoop, followed by managers (10%) and human resources (7%).
According to the results, 77% of North American IT managers said their perceptions have changed as a result of data breach laws and regulations, while far fewer European managers, 24%, felt the same way.
Information security regulations, such as the Sarbanes-Oxley Act, have given IT professionals “powerful tools” to get upper level management support for fixing internal security problems”, Bosnian said.
Cyber-Ark found that 57% of C-level respondents currently utilize a virtualized or cloud-based computing environment. When asked if they had technologies in place to manage administrative access to the databases and systems in those environments, the majority said yes.
The same percentage of C-level executives said that in the next one to three years, external threats such as cybercriminals will become a greater security risk than insider threats. Hackers are “much more sophisticated, much more coordinated, very targeted” at data that has “exponential” value, Bosnian said.
“At the end of the day, organizations that have very sensitive information need to find a way to isolate that so that only the right people gain access to it, bad people can’t gain access to it, and you need to make sure all of those doors are closed”, he concluded.