Fear of insider threats hits home

The more money that companies spend on securing their IT operations from external attack, the more it seems they become aware that the potential threat posed by their own employees remains their most significant risk.

A new study published by consultants Deloitte on Tuesday finds that financial services companies -- among the most advanced and deep-pocketed consumers of security technologies in the world -- are still struggling with the concept of handling the insider threat issue despite all the cash they're dropping on security technologies.

In the survey of 100 global financial services firms, Deloitte found that 91 percent of those questioned were concerned about their inability to respond to insider threats, while 79 percent were willing to cite "the human factor" as the root cause for a majority of their security issues.

Despite that and all the different types of security tools companies have adopted, the survey found that 22 percent of the companies interviewed hadn't provided any new security training to their workers in the past year, and only 30 percent indicated a belief that their current employees were skilled enough to respond to an emerging security crisis.

The apparent lack of faith in their ability to control the insider threat shows that many businesses are aware that they are only just beginning to tackle the problem, report authors said.

"The contradictory findings highlight the security paradox financial institutions are facing," Mark Steinhoff, leader of the firm's financial security and privacy services practice, said in the report. "Security training and awareness, along with access and identity management -- of employees, clients, and suppliers alike -- are among organizations' top initiatives this year as they fight to keep pace with the ever-changing threat landscape."

Beyond training, more companies are also enlisting the help of additional security systems aimed specifically at thwarting internal attacks and preventing mistaken data breaches.

In addition to tools that offer the ability to track IT systems usage more comprehensively -- and create electronic paper trails that give forensics experts a string of clues when investigating any misbehavior or mistake -- enterprise organizations claim that they are also blending physical and IT security to stay abreast of what their workers are up to.

"We've been putting cameras on all entrances and exits, looking at using badge numbers for tracking purposes, and keeping a closer eye on what people are doing and where they are going," said Adam Le, director of IT infrastructure at Alliance Imaging, a healthcare testing specialist. "We're also contemplating things like fingerprint scanners and other biometrics and looking at encrypting all data at rest on laptops."

Companies walk a fine line in balancing the need to watch over their workers for security purposes and becoming too intrusive, the expert admitted. However, Le said that with businesses like Alliance facing mounting pressure from regulators to lock down every piece of patient data they record, employees must understand that the process is about protecting the firm and not about assessing personal work habits.

In another effort to deal with the insider threat, Alliance, which provides outsourced medical imaging capabilities to hospitals and other healthcare organizations, has added new user authentication and monitoring tools made by ConSentry to its IT environment.