Insiders Pose Greatest Threat to Network Security

Risk & Insurance, August, 2001 by Michael Capozzi

When it comes to security threats, hackers have received a majority of the attention. But a new survey indicates that the two biggest threats to a company's computer security come from insiders--current employees gaining access to files they're not entitled to and former employees whose company passwords have not been changed.

The survey, conducted on behalf of eWEEK magazine and Haifa, Israel-based security software developer Camelot, specifically found that 57 percent of the respondents that recorded a security breach cited users accessing resources they shouldn't be entitled to as one cause of the breaches, while 43 percent cited breaches as a result of accounts left open after an employee has left the company. Next, at 30 percent, was "been the victim of information theft from your network."

But despite these findings, only 26 percent of respondents reported being "very concerned" about insiders having access to more files than they actually need, while 50 percent reported being "somewhat concerned." Forty percent of respondents reported being very concerned about inappropriate insiders having access to sensitive data residing on their file servers; 37 percent reported being somewhat concerned. By comparison, 55 percent of respondents reported being very concerned about outsiders gaining access to sensitive information; and another 32 percent reported being somewhat concerned.

Businesses with less than 10 employees were the least concerned about insider security issues; 42 percent of respondents within this category said they are not concerned about insiders having access to more files than they actually need, and 35 percent said they are not concerned about inappropriate insiders having access to sensitive data.

"The results of the survey pinpoint a major Achilles heel too often unknown or underestimated by corporations," says Yuval Baharav, president and CEO of Camelot. "The recently publicized external hacks represent a very small portion of the constant infringements a network endures daily. Too often, authorized behavior goes unchecked."

Insurance companies are also starting to realize the threats that insiders pose. The recently published Chubb CyberRisk Handbook, for which Chubb engaged the services of PricewaterhouseCoopers, has this to say: "Studies have consistently shown that insiders pose more of a threat than third-party hackers. One unfortunate reality of our reliance on networking technology is that a single employee can do far more damage today than was ever possible in the past. With employee turnover increasing, and employee loyalty low, the potential for disaster lurks behind each disgrnntled separation."

So what can businesses expect to be covered for?

When looking for help in traditional crime policies and fidelity bonds, risk managers should beware of their exclusions, according to the handbook. "Traditional fidelity bonds and crime policies have a number of important limitations to consider in light of the emerging risks of electronic commerce... The traditional fidelity bond and crime policies exclude coverage for any consequential or indirect losses. Therefore there is no coverage for business interruption for employee dishonesty or extortion-type perils."

The handbook also states that indirect losses as a result of employee or authorized user actions are typically excluded from computer crime policies. "Historically, it has been estimated that 70 percent of the dollar value of crime insurance claims have been paid out under the employee infidelity clause. Employee fraud seems likely to remain the major source of losses for years to come."