Organizations have heightened their awareness of insider security threats, but still struggle with how to mitigate the risk of the “human factor” and protect information assets, a new report, "Privileged User Abuse & The Insider Threat," reveals.
Privileged users have always posed a threat to companies, whether they expose information inadvertently or with malicious intent. But, in the aftermath of Edward Snowden's revelations and Wikileaks, “awareness is high — 88 percent recognize insider threats are cause for alarm,” believing that the risk of privileged user abuse will grow or remain the same in the next two years, Michael Crouse, director of insider threat strategies at Raytheon, the company that commissioned the study from the Ponemon Institute, told SCMagazine.com.
But, he added, 69 percent don't have tools that provide contextual information or the ones they do have generate too many false positives.
The findings come from a survey of 693 respondents qualified as privileged by their level of access to the IT networks, enterprise systems, applications and information assets in their organizations. Of those respondents, 75 percent said they required privileged status to do their jobs, the other 25 percent said they didn't, but had it anyway for two main reasons — 38 percent said coworkers at their level had access for no particular reason and their organizations didn't revoke access when their roles changed within the company.
That reflects a common problem revealed in the survey. Organizations simply don't have policies for assigning privileged user access, according to 49 percent of the respondents. Although, there has been an uptick — from 31 percent in 2011, the first year Ponemon published this report, to 35 percent in 2014 — in the number of organizations that have well-defined policies in place, centrally controlled by corporate IT.
That's a situation that organizations must remedy soon, considering that 55 percent of the respondents said that curiosity, not job necessity, drove them to access information and 73 percent believe they have the authority, feel empowered, to access data.
“What they do with information is where the rubber meets the road,” Crouse said. “Companies need to bolster guidelines for what people are doing with it."
Squeezing out more budget dollars would also help.
“Only 40 percent have a dedicated budget allocated to reducing insider threats,” explained Crouse.
The survey shows that slightly more, 43 percent, do not have dedicated budgets to invest in technologies that will reduce insider threats.
But while budget dollars are hard to come by and policy guidelines fall short, the processes for mitigating risk and improving security are flourishing.
The survey found that 57 percent of the respondents use commercial off-the-shelf automated solutions to grant user access privilege, that's a significant upswing from 2011 when only 35 percent said they employed those tools.
Also on the rise? Using manual processes such as by phone or email grew to 40 percent, from 22 percent in 2011.
Organizations can better fend off insider security threats, said Crouse, if they follow a 9-step program that includes formally establishing a program, stating a business case, assembling a team (this year's survey showed that business unit managers are taking a bigger role, with 51 percent identifying that position as the one that handles granting access) and involving stakeholders.
In addition, education is key to a successful program as are the right tools. In the same way that a factory supervisor used to sit perched behind glass watching workers below, “you need technology that can look at someone's behavior and action on the endpoint,” he explained, urging companies to “select the technology that works for your corporation.