Inside Out vs. Outside In

June 18, 2013

When we think of information security, we tend to think of external hackers and cyber-criminals fighting their way inside an organisation’s network to steal its information. Clearswift commissioned some research that takes a holistic view of information security incidents and found that 83% of organisations surveyed said they had experienced a security breach in the last 12 months. However, contrary to where the security spend is focused, 58% of all incidents originated from inside the organization rather than from shadowy, malevolent outsiders – the culprits being employees, ex-employees and trusted partners: people like you and me.

byod_title

The research uncovered the fact that 72% of organisations are struggling to keep up with changes in the security landscape and the policies required to support the changes in the way people communicate and the way business is conducted today. One of the major changes in both business practice and business risk has been the rise of Bring Your Own Device (BYOD).

The top three BYOD threats are:
– employee use of USB or storage devices;
– Inadvertent human error;
– employees sending work-related emails via personal email devices.

However it’s not fair to lump the blame for these types of security risk solely on employees if they are being encouraged (or at least not discouraged from) adopting BYOD. Roughly one third (31%) of organizations are proactively managing BYOD, while 11% reject it outright. Those who reject the use of BYOD are more likely to encounter internal security threats (37% vs. 18% for those who proactively manage it). In the survey, 53% said that employees would use BYOD on the corporate network whether it was sanctioned or not. The onus is on the company to manage their use rather than behave like an ostrich and pretend it won’t happen.

So, what next? Organizations need to acknowledge that the threats from within are at least as important as those from outside and should plan their security spend accordingly. When it comes to BYOD, a comprehensive set of policies must be put in place as quickly as possible. There should be an education or awareness programme for both users and employers alike around the risks BYOD can have and how these risks can be mitigated, so that employees’ personal devices can be used securely.

If your company still doesn’t publish BYOD rules, you as an employee can stick to our recommendations:

  1. Don’t put your company (or yourself) at risk by using your personal devices, even USB sticks, to process corporate data without prior consultation with a system administrator or an information security officer.
  2. If you need to use a USB stick, then use one which has encryption on it – and preferably one that your company endorses. There are lots to choose from out there and they are not that much more expensive than unencrypted options. For the sake of £20 you could save your company its reputation.
  3. The same goes for private e-mail accounts. If you have a pressing need to use private e-mail (e.g. your corporate mail is down), set up a dedicated account with maximum security applied (Gmail with two-factor authentication switched on could be a great starting point).
  4. Send any documents strictly in encrypted form. There are plenty of ways to do that – starting from password-protecting MS Office documents or ZIP files with a strong password. Of course you must not send encrypted passwords in the same e-mail- call the recipient by phone to tell them the password.
  5. Don’t set up your working e-mail account on your private device without prior consultation with a system administrator. There are specially protected clients to do that in a safe way.