By 2005, 60 percent of the costs associated with corporate security breaches will be financially or politically motivated, according to a new report from Gartner Inc.
The industry analyst firm also notes that most of those financial losses will be at the hands of insiders — either working alone or in conspiracy with someone outside the company.
”Security managers and CIOs are well aware of the threat posed by insiders, but often find it easier technically and politically to take action against external threats instead,” says Victor S. Wheatman, managing vice president for Gartner. ”Businesses must take steps to secure themselves against criminally intent insiders or resign themselves to suffering significant losses from insider crimes.”
Critical business practices, such as collaboration and knowledge management, demand intensive information sharing, even across businesses. This open access often results in unauthorized use of computers and networks, according to the Gartner report.
”There is a delicate balance between limiting insider access to information and crippling the ability to create revenue,” says Richard Hunter, vice president for Gartner. ”Generally, this conflict between security and commerce is resolved in favor of creating revenue and therefore facilitating insider crime.”
The Gartner report matches up with the warnings from a former secret service agent in a recent eSecurityPlanet interview.
Larry Cunningham worked with the Secret Service for 20 years and now is an international security consultant with his own company, Essential Security Strategies LLC. And he says companies are doing a poor job of securing themselves from the inside out.
”I’m seeing more insider situations than any coming from the outside,” said Cunningham. ”Your workers know how things are configured. They understand the political climate inside and they know the weaknesses that companies have. They might be disgruntled. They’re motivated. Trade secrets can be sold to the competition. Damage can be done. We’ve seen these types of problems generated more from the inside than from the outside.”
Cunningham suggests that companies be proactive and aggressive when it comes to protecting themselves.
”Do more rigorous background checks,” he warns. ”As you get closer to more vital pieces of the company’s infrastructure, the checks need to be more stringent. Absolutely, IT workers. Everyone with that kind of access needs to be checked out. And not just the first-time-hire situation. You need to renew the checks every year. People change. Their motivations change.”
And Gartner analysts say businesses also must create and enforce legal agreements defining legitimate use of proprietary intellectual property by trading partners and employees.
”Most businesses don’t have procedures for establishing and enforcing agreements on shared use of intellectual property,” says Wheatman. ”Without such legal agreements, misuse is more likely and less subject to recovery.”