BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Study highlights the ups and downs of infosec management

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 2 Oct 2013 01:06:00 -0600
http://www.csoonline.com/article/740269/study-highlights-the-ups-and-downs-of-infosec-management

September 24, 2013 — A new study from Harris Interactive, sponsored by
identity and access management firm Courion, offers some interesting
insight into the risk profile of more than 2,000 adults.

The study was commissioned by Courion to focus on risky behavior, but CSO
found it interesting for a completely different matter. The results offer
an unfiltered view into how people think.


When it comes to adults who were asked if they know at least one co-worker
who is, or has, accessed company information that they shouldn't have
access to, or if they themselves are doing it, 74 percent of those who took
part in the study disagreed with that notion. This is good news, as it
shows that people for the most part can be trusted with access.

The down side to that is that 26 percent of the same group knew someone
accessing data that they shouldn't, or worse, they themselves were
accessing the data. This is where many organizations struggle and stories
of loss due to a trusted insider fall squarely into this group. Related to
trusted access are two other questions — one detailing with job change, and
the other outright theft.

Account management has always been an issue that any security organization
needs to deal with. Once an employee leaves the job, their access to the
network and corporate access needs to be revoked. However, according to the
study, 16 percent of the adults questioned reported that they were still
able to use old usernames and passwords, to access their former employer's
systems, applications, or customer accounts.

Moreover, 15 percent of them admitted that if they knew they were about to
be fired, they would take company information such as customer data, prices
lists, or production plans with them. Obviously, the upside of those stats
is the fact that the majority had no access after leaving, and would not
take sensitive information if they knew the axe was falling.

The picture painted here, again, is that people for the most part can be
trusted, but there will always be an exception to the rule. This is why
access controls and monitoring are important layers to any rounded network
defense strategy.

"It's worrisome that despite years of software development and
awareness-building, many organizations still lack control and insight into
the growing access risk within their own walls, said Chris Sullivan, vice
president, advanced intelligence solutions at Courion in a statement on the
data

Risk from within is a topic that CSO covers extensively, the most recent
example being a study last month from TNS Global. According to that study,
30 percent of those surveyed admitted they would open an email, even if
they were aware that it contained a virus or was otherwise suspicious.

According to the Harris Interactive study, when asked if they've clicked on
an email at work that was suspected of being a Phishing email or otherwise
fraudulent, 21 percent of the respondents admitted to doing so. Further,
the same group also said they didn't inform IT of their actions.

"These are otherwise intelligent people who, if informed about the
potential consequences of their actions, would do the right thing," said
Sullivan.

"Any employee may succumb to natural curiosity. Before curiosity kills the
cat, organizations need to get their arms around this behavior. They need
to educate their employees and use systems that eliminate risky activities."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: