Finance and HR departments, and the people working in them, represent the biggest information security threat to business, according to a study. Nearly half, 48 per cent, said finance departments posed a security threat to their organisation, and 42 per cent said the same of HR (40 per cent and 48 per cent respectively for UK respondents). The research, by data loss prevention company Clearswift, gathered views from over 500 data security specialists in the UK, USA, Germany and Australia.
These concerns relate to the potential for mistakes by employees in these departments such as sending salaries or customer details to the wrong people, or by inadvertently installing malware, of the type suspected to be behind last year’s eBay attack which exposed millions of customer passwords.
The reason is partly because these departments have access to very sensitive data. However, the results suggest cultural factors also make people in these departments a higher risk. Legal and compliance, which have access to equally sensitive data, were considered a much lower risk (only 16 per cent expressed security concerns). The research also suggested mid-career professionals were a higher risk. 37 per cent of respondents said middle management represented the biggest threat, compared with 19 per cent for senior management and 12 per cent for executives/admins. Perceived risk was lower for older employees, but 28 per cent said those aged 35 to 44 were most likely to be behind malicious data theft.
Heath Davies, Chief Executive at Clearswift, says: “Senior managers are generally in tune with the consequences of data loss, whilst junior people often don’t have access to the kind of data that can cause disasters. Middle aged, middle managers are in between – having access to the data but no obvious stake in the consequences of losing it. They are also more likely to be under time and financial pressure, and so may be more inclined to take risks. This makes them more likely to make mistakes or even succumb to foul play”.
Most, 79 per cent said men were more of a worry than women. Davies says this perhaps suggests women are perceived as more cautious; it could also imply that men are perceived to be more likely to be involved with handling sensitive data.
Some two-thirds, 67 per cent said those working on site were more of a risk than those working remotely. “Despite all the security worries about people working out of the office on whatever devices they want, those in the office actually have easier access to sensitive data, so are more likely to lose it,” adds Davies.
Data breaches are most likely to come from inside the business. 88 per cent of companies questioned had experienced a security incident in the last 12 months, of which 73 per cent were from people they knew: employees, past employees or customers/suppliers.
Security people answering the survey estimated 53 per cent of the workforce is in a position where they might cause an accidental security breach, whilst 5 per cent are seen as having the potential to cause a malicious one.
Davies adds: “We’re not proposing targeting individuals, but if you can understand the combination of factors that make certain people in certain roles more of a risk, you can focus your resources on ensuring those breaches don’t happen. For example, you could provide tailored security training or put in more sophisticated layers of security around particular segments of the business.
“Cyber security has a constantly changing field of play, balancing security with the freedom to collaborate. We live in a complex, changing world and threats will be different in different parts of the organisation. By pairing detailed knowledge and understanding with adaptive security technology, you can create a win-win security game-plan to help you combat insider threats: locking down your sensitive data while keeping business moving.”
