IT outsourcing most affected by data leaks

Information Technology (IT) outsourcing was the sector that suffered the biggest losses globally from internal security risks over the past year, according to a new report.

The next worst-affected areas were healthcare and the public sector, according to the study from IDC and RSA, the security division of EMC.

However, the types of security breaches varied greatly between industries. Unintentional data loss through employee negligence was responsible for the greatest number of incidents (per organisation) in the financial sector (13.7), public sector (14.5) and healthcare (14.5). But the biggest cause in the telecom sector – responsible for 18 cases per company – was malware or spyware attacks from within the enterprise.

The IT outsourcing sector indicated that the highest number of incidents per year (16.3 per company) came from exposure through provisioning or deprovisioning delays. IDC believes this finding is based on the high turnover and lack of infrastructure for handling deprovisioning within the sector.

The technology sector indicated that the highest number of incidents per year (17.9) came from media losses and theft exposing confidential information.

IDC said participants in the technology sector often used multiple devices.

"Given that all devices contain significant data storage capacity, this represents a serious internal security risk if the devices are not managed effectively," says the report.

Organisations in the Middle East are aware of the existence of insider risk, but it is rarely a priority for a majority of them.

Megha Kumar, Senior Analyst, Software at IDC MEA, said: "CIOs need to re-align their priorities and accept the fact that it is not only about protecting themselves from external factors, they also need to have proper solutions to better protect their data internally.

"It would be a bit naive to provide your employees with easy access to company data. IT managers should be given clear definitions not only on user access priorities, but also on what would constitute an accidental or deliberate form of data loss."

Middle East companies have been spending significantly over the past few years on protecting themselves from external threats with firewalls, VPNs, anti-virus programs and identity management solutions, so the outer boundaries are well defined. While CIOs in the region acknowledge that they are vulnerable to losing crucial information either due to deliberate or accidental employee conduct, only a few have actually taken steps to protect themselves from such incidents.

Kumar said within the region, insider risk was greater in countries such as the UAE that had better internet connectivity and more devices such as PDAs and smart phones connected to corporate networks.

Ahmed Abdella, Regional Manager, Middle East, North and West Africa at RSA, said: "Security is everyone's job, not just that of the security team. Internal risks are growing and to remain competitive, CEOs must change the way they defend their business and expand security priorities to address the heightened need for protection from risks posed by an insider.

"CEOs must adopt a holistic strategy to mitigating insider threat that focuses on protecting critical information from misuse, leakage and loss by internal users, whether accidental or deliberate."

The researchers found that contractors and temporary employees represented the greatest insider risk to organisations, followed by technical staff and IT administrators.

This is especially true in the healthcare industry, where almost 40 per cent of respondents view contractors and temporary staff as the greatest risk. Doctors and other healthcare professionals are often associated with several different hospitals.

The complexities of managing multiple account names, passwords and authentication methods can cause a general disregard for security protocols, resulting in inadvertent information breaches.

In the current economic system, IDC believes a growing number of organisations are leveraging temporary staff and contractors to fill voids in staffing from executives, IT managers and general line-of-business workers.

This creates a nightmare for policy management and risk mitigation to ensure that temporary staff or contractors do not have access to the sensitive information that is not pertinent to their role or responsibility.

The technology industry was more concerned about technical staff and IT administrators. The breadth of access and control of critical systems and information is highest with technical staff and IT managers. The important question is: who watches the watchers? The fact is that IT has access to the most sensitive business and personal information in all organisations. Over the years, many IT administrators have turned rogue to get even with executives, business managers and other employees to draw attention to security weaknesses.

While there is a certain logic to their action, the results are generally bad for all concerned.

A high percentage of accidental issues involved contractors and temporary staff. These workers have only a casual understanding of a firm's security policies. Because they are paid by the project, they are focused on hitting deadlines, not complying with internal security policies. They strongly believe that compliance is someone else's problem.

Typically there is no malicious intent. The contractors simply want an active account so they can start work immediately the next time they get a contract. While this attitude is somewhat admirable, it is misguided because it clearly violates internal security policies and will certainly draw auditors' ire.

In the financial industry, the concern is about outsourcers and "cloud-based" service providers.

The report also explained the importance of specific security budgets. The survey found that 43 per cent of organisations have a specific budget allocated for internal security risks. IDC found that almost 40 per cent of organisations plan to increase spending on internal security risks over the next 12 months and only six per cent have plans to decrease spending.

In the light of the current economy and the fact that many organisations are slashing IT budgets across the board, this is a clear evidence that internal security risks are a top priority. The growth in the number of internal security breaches is forcing organisations to increase spending to combat these incidents.

Corporates have to start taking insider threats seriously as employees inadvertently violate corporate policy, says the report.

In fact, the research found that organisations were experiencing an average of 14.4 incidents of unintentional data loss through employee negligence in the past 12 months.

The majority of organisations (52 per cent) characterised their insider threat incidents as predominantly accidental. The study found that only 19 per cent believed insider threat incidents were primarily deliberate. About 26 per cent of organisations believed the incidents were an equal combination of the two factors.

Malware and spyware attacks are another example of the risk of good employees doing bad things. Employees have become very casual about the websites they visit during the workday.

The practice of using URL filtering to prevent employees from visiting non-business websites during the working day is no longer adequate to meet the challenge.

Compromises of legitimate websites by hackers to install malicious code and steal personal or business confidential information have become increasingly common. Various studies have shown that up to 80 per cent of websites containing malware are legitimate businesses.

Microsoft estimated in an April 2009 report that the total number of legitimate web pages being compromised per month was more than one million.

The new report says organisations are experiencing almost one incident per month from each threat. The difference between the top incidents of unintentional data loss (14.4 per year) and the bottom incidents of internal fraud (10.6 per year) is a clear sign that no single solution is the answer to addressing internal security risks.

Chris Christiansen, Program Vice-President, Security Products, at IDC, said: "Employers view their relationship with employees as one of trust and recognise their people are their biggest asset. But the vast nature of an organisation's infrastructure, coupled with a dispersed – often global employee base – and complex internal user mix of employees, consultants, partners and outsourcers make addressing the risks posed by its internal users the biggest security challenge that company's currently face. Whether the risk is intentional or not, it's there. It's real."

Keep up with the latest business news from the region with the Emirates Business 24|7 daily newsletter. To subscribe to the newsletter, please click here.

Follow Emirates 24|7 on Google News.