That's a key takeaway from our most recent InformationWeek Analytics/DarkReading.com survey, in which 52% of more than 400 respondents say they're most concerned about internal risks, including both accidental and malicious data compromises by employees or business partners during the course of their day-to-day activities.
It's hard to say whether these fears are driven by a real increase in internal security incidents or by sensationalized media coverage of public reports of internal breaches, spurred by recently instituted mandatory disclosure laws. What we do know is that the relative lack of defenses available for stopping internal attacks is a factor. There are, sadly, few proven methods to stop an employee with a strong will, an ax to grind, and a privileged password.
When asked about the most potentially dangerous individual events that could occur in their organizations, 35% cite another insider-related mishap: the loss or theft of a laptop or portable storage device. Again, this likely reflects recent media coverage of corporate security breaches, in which large amounts of personal data have been lost unintentionally, causing black eyes for the companies involved. Costs for identity-theft protection can pale next to damage to their brands and a loss of customer trust.
In the end, then, what one change would make our lives better--and the company's data safer? The No. 1 wish, by a slim margin, is for "smarter end users who understand security risks." Good luck with that. The No. 2 wish is for more automated security technology that would allow us to do less firefighting and focus more on strategic issues and emerging threats.
The good news is that we may just have the cash to fulfill that second desire, and maybe a bit to spare for education. Few survey respondents complained about security budget shortages. Despite economic horrors and cutbacks in every industry, the security department is holding its own.
These results track nicely with a number of other industry studies conducted recently, nearly all of which indicate that IT security budgets will increase slightly in the next 12 months. Only 12% of organizations plan to cut security expenditures, and just 5% will cut those budgets significantly. While this doesn't mean that the security space is "recession-proof," it definitely indicates that most organizations don't consider it easily expendable. How else can companies stop the insider threat?