United States: Perspective: Going After The Bigger Insider Threats

New research from the Ponemon Institute finds that 78 percent of IT professionals in the United States claim that their companies have suffered unreported insider-related security breaches.

In other words, we still do not know the full extent of the problem posed by data security.

Insider threats include the misuse or destruction of sensitive or confidential information, as well as damage to the IT machinery where the data is stored. This can come about because of anything from simple mistakes or negligence to reckless behavior and even corporate sabotage. But what are the causes of insider threats, and how can IT professionals respond in time?

The Ponemon report contradicts the general impression that fired and disgruntled employees represent the greatest risks.

In 2005, Ponemon put the direct and indirect expenses of responding to a data breach at $138.39 per data subject. While an organization could expect to spend an average of $3.4 million annually to grapple with insider security breaches, it found that the majority was still investing less than $1 million on preventive measures.

You might have assumed that those headlines would have had an impact. But as we head into the second half of 2006, one is left with the feeling that corporate America is not taking data breach prevention seriously. According to the Ponemon report, the absence of sufficient resources and leadership has undercut efforts to address the insider threat. What's more, often, no single person has been charged with overall responsibility for managing insider security threats.

None of this takes place in a vacuum. Nearly half of the IT pros surveyed lay the blame for lack of funding and leadership on chief executives, who, they say, give the issue low priority. By contrast, 89 percent of respondents say insider data security threats should be taken seriously. Given the current state of affairs, IT departments not surprisingly devote a considerable amount of their time seeking to prevent or control insider threats.

The Ponemon report contradicts the general impression that fired and disgruntled employees represent the greatest risks. Instead, accidental data leaks frequently occur because employees lack enough knowledge about preventive measures or because of employee carelessness.

When asked about what constitutes the greatest risk (each respondent was allowed two choices), here were their answers in descending order: careless employees (34 percent); negligent employees (32 percent); temporary employees (29 percent); disgruntled employees (21 percent); terminated employees (19 percent); partners (16 percent); privileged users (12 percent); and system administrators (11 percent).

Asked how to fix the problem, respondents point to the need for better training programs, as well as independent audits. Technologies can also help, including identity and access management solutions, content filtering, and data leak detection and prevention solutions.

The big question is whether corporate America is ready to follow the lead spelled out by its IT professionals? For its sake, let's hope so.

Eric J. Sinrod is a partner in the San Francisco office of Duane Morris. His focus includes information technology and intellectual property disputes. To receive his weekly columns, send an e-mail to ejsinrod@duanemorris.com with "Subscribe" in the subject line. The views expressed in this column do not necessarily reflect those of Sinrod's law firm or its individual partners.

This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.

Duane Morris LLP, among the 100 largest law firms in the United States, is a full-service firm of more than 600 lawyers. In addition to legal services, Duane Morris has independent affiliates employing approximately 100 professionals engaged in other disciplines. With offices in major markets, and as part of an international network of independent law firms, Duane Morris represents clients across the nation and around the world.