Insider threats are becoming increasingly worrisome to corporate security executives.
That is one of the findings in a survey of C-level businesspeople Nuix released last week."The insider threat seems to be a bigger concern this year than it was in previous years," said Keith Lowry, Nuix's senior vice president of business threat intelligence and analysis.
"People are recognizing that it is a significant weakness that has yet to be fully addressed by most organizations," he told TechNewsWorld.
Insider threat programs are widespread across the broad set of industries represented by 28 high-level executives participating in the study, which was conducted by Ari Kaplan Advisors.
More than two-thirds (71 percent) of the executives said they had either an insider threat program or an insider threat policy.
Throwing Money at Problem
Organizations are spending more money fighting insider threats, the survey found.Nearly a quarter (21 percent) of the surveyed execs said some of their increases in security spending went to bolstering protections against insider threats.
What's more, 14 percent of the participants noted that 40 percent or more of their security budgets went to combating insider threats.
Despite those efforts, the organizations in the survey still had problems tracking access to their critical data.
Most of them (93 percent) could identify their critical data, but only 69 percent said they knew what people did with critical data after they accessed it.
Not Just IT's Problem
"The insider is a dynamic threat, and most organizations are taking a static approach to stopping it," Lowry said."This is not just an IT problem. It's a risk management issue. The C-suite needs to realize that this is a bigger issue," he noted.
"It has to be looked at from the perspective of the whole organization, not just a piece of any part of the organization," Lowry added.
As in the 2014 survey, participants cited human behavior as the greatest threat to their security. Last year, 88 percent of those surveyed identified human behavior as their biggest threat. This year, it was even higher: 93 percent.
CISA Sneaks Into Law
Congress, perhaps unwilling to take the heat during the re-election season for enacting a law that civil liberties groups and some high-profile technology companies say broadens the government's surveillance powers, buried the text of the Cybersecurity Information Security Act in the federal budget bill President Obama signed into law earlier this month.Tucking controversial measures into budget bills is a time-honored tactic to avoid putting legislators on the record on thorny issues that could be used against them when they run for re-election.
From its inception, the bill failed to require that information shared by companies with the government be anonymized.
"The initial proposal of CISA had a bare minimum of provisions to offer some type of privacy protection, but not enough," said Joseph Pizzo, field engineer at Norse.
"What we're seeing now is that these few provisions have been stripped away," he added. "With the changes, organizations can now directly share raw data with several agencies with no protection or anonymity."
Encourages Sharing
Sharing information about cyberthreats can help protect the nation's data assets, but private industry has been reluctant to do so because of liability and antitrust considerations."The bill covers the majority of areas needed to encourage sharing," said Sean Tierney, vice president of threat intelligence at IID.
"It hits on the important and cogent points," he told TechNewsWorld.
"It provides protections against liability for sharing or consuming data, so long as it's done for the sake of cybersecurity," Tierney said.
There are no requirements in the legislation for companies to share information with the government, he added. However, there are requirements as to what the government needs to provide the private sector.
"Many of us see the bill as progress in both protecting privacy and providing data to the country," Tierney said.
0 comments:
Post a Comment