Security professionals worry about threats from outside attackers, but it's the danger from within the company that really keeps them awake at night.
That's a key takeaway from our most recent InformationWeek Analytics/DarkReading.com survey, in which 52% of more than 400 respondents say they're most concerned about internal risks, including both accidental and malicious data compromises by employees or business partners during the course of their day-to-day activities
It's hard to say whether these fears are driven by a real increase in internal security incidents or by sensationalized media coverage of public reports of internal breaches, spurred by recently instituted mandatory disclosure laws. What we do know is that the relative lack of defenses available for stopping internal attacks is a factor. There are, sadly, few proven methods to stop an employee with a strong will, an ax to grind, and a privileged password.
When asked about the most potentially dangerous individual events that could occur in their organizations, 35% cite another insider-related mishap: the loss or theft of a laptop or portable storage device. Again, this likely reflects recent media coverage of corporate security breaches, in which large amounts of personal data have been lost unintentionally, causing black eyes for the companies involved. Costs for identity-theft protection can pale next to damage to their brands and a loss of customer trust.
In the end, then, what one change would make our lives better--and the company's data safer? The No. 1 wish, by a slim margin, is for "smarter end users who understand security risks." Good luck with that. The No. 2 wish is for more automated security technology that would allow us to do less firefighting and focus more on strategic issues and emerging threats.