An Absolute Software survey of 501 U.S. IT managers and decision makers at companies with 50 or more employees has found that fully 45 percent of repsondents admitted knowingly circumventing their own security policies, and 33 percent admitted having successfully hacked their own or another organization.
“Given that IT is the security gatekeeper for an organization, it was alarming to see such high [incidence] of non-compliant behavior by IT personnel,” Absolute Software vice president of global marketing Stephen Midgley said in a statement.
“Even if these actions are being performed to validate existing infrastructure, senior leadership should be aware that this activity is occurring,” Midgley added. “It may also be worthwhile to consider third-party audits to ensure adherence with corporate security policies.”
Respondents said 33 percent of all security protocols aren’t being followed by staff, and 46 percent of respondents said employees or insiders represent the greatest security risk to their organization.
Thirty-eight percent of respondents have experienced a data breach within the past year.
Sixty-five percent of respondents believe they’d likely lose their jobs in the event of a security breach, and 78 percent believe IT managers are primarily responsible for their organization’s security.
Still, 20 percent don’t have a security breach response plan in place.
“The gaps in current data breach response plans and in upholding general best practice policies must be addressed,” Midgley said.
Separately, a recent Balabit survey [PDF] of 494 IT security practitioners to assess which methods or vulnerabilities attackers are using the most has found that social engineering, including phishing, is currently the most popular method of attack, followed by compromised accounts (e.g. weak passwords) and Web-based attacks (e.g. SQL/command injection).
“The recent data breach of more than 10,000 users from the U.S. Departments of Justice and Homeland Security staff and more than 20,000 Federal Bureau of Investigation employees is an example of how becoming an insider using social engineering tactics is a much easier way for hackers to breach security than writing zero-day exploits,” Balabit CEO Zoltán Györkő said in a statement.
“Traditional access control tools and anti-malware solutions are necessary, but these only protect sensitive assets against hackers outside of the network,” Györkő added. “Once they are inside, even with low level access, they can easily escalate rights and gain privileged or root access in the network posing a much higher risk.”
Among U.S. respondents, 70 percent said insiders pose a higher risk to their organizations than outsiders do.
A recent eSecurity Planet article examined three ways to mitigate insider security risk.