The biggest security threat? Insiders

Chief information officers fail to know their enemy, as a new survey shows they greatly underestimate the threat posed by insiders to security

System administrators and chief information officers have little concept of the top threat to security, according to a survey released this week by eWEEK and security vendor Camelot IT.

Despite personal experience and empirical evidence to the contrary, 57 percent of respondents who listed themselves as very concerned about network and privacy security issues said that outside attacks are a bigger threat to their networks than attacks from insiders.

In addition, 22 percent of the respondents to the Camelot Network Security and Privacy Survey said they were not concerned about unauthorised insiders having access to sensitive data.

These answers are even more perplexing considering that, of those who reported a security breach within the last year, 57 percent said the breaches were caused by inside users accessing unauthorised resources, while 43 percent blamed accounts left open after an employee has left the company. Fully 21 percent of the respondents said their companies had been the victim of an attempted or successful break-in by an angry employee.

And with more and more companies laying off employees every week, these breaches are only going to get worse.

"Anyone who thinks that external security is their biggest problem isn't thinking," said David Thompson, a Boston-based security consultant and the former chief information officer at the Defense Advanced Research Projects Agency. "What harm is really done if someone defaces your Web site? None. But what if a customer gets access to another customer's pricing information on your intranet? Then you're in trouble."

The survey was a poll of 548 eWEEK subscribers, 47 percent of whom are either system administrators, IT managers/directors or chief information officers/chief technology officers.

"It's clear that internal security is the number one threat," said Ofer Gadish, executive vice president of technologies at Camelot, based in Haifa, Israel, with US headquarters in New York. "But I think there's a gap between what people are afraid of and what they recall from past attacks. Awareness of Internet security is higher than that of internal security."

Another surprising result of the survey is the revelation that 49 percent of the respondents said they had no annual budget for maintaining or upgrading their network security system, and 16 percent didn't know whether they had such a fund.

In an environment where researchers discover new holes in software virtually every day, that kind of complacency is something most companies can't afford, industry experts say.

For all job and work related news, or to search for a job and get information on training, go to ZDNet Careers

Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.