Policies without enforcement simply aren’t enough to guard against internal threats

Two recent studies of financial sector employees, sponsored by security vendors Cyber-Ark and Actimize, and reported last week by Tim Wilson of InformationWeek, indicate that employees are ready and willing to steal information from their employers, even though they know such actions violate laws as well as company policies. Taken together with some findings from the 2009 Computer Crime & Security Survey from the Computer Security Institute (results were presented yesterday in a CSI webcast, and will be released publicly on December 8 from www.gocsi.com), it’s clear that even when security awareness is made a priority, organizations need more than rules and policies or even laws to protect themselves from insiders.

Interesting results from the survey include a rise in malware and disruptive intrusions, at least in terms of the proportion of respondents experiencing such incidents, including denial of service attacks. Based on information about organizational responses to security incidents, the primary approach to security among surveyed organizations continues to be reactive, with security awareness a weak spot. As often highlighted in the context of laptop thefts and other high-profile data breaches, unauthorized disclosures are often the result of employees knowingly violating existing security policies, whether for convenience, through negligence, or for malicious purposes. Even the best-intentioned employees may need the reinforcement of technical measures to enforce what’s stated in policies or regulations. When companies are provided credible information indicating employees will disregard the rules if and when it suits them, the need for data loss prevention and similar safeguards cannot be made more clear.