Your worst security threat: Employees?

A government-backed report has found that employees are almost as big a security threat as external causes - and companies are finding and the cost per incident is rising

More than a third of the worst computer system security breaches at UK companies are from employees, according to government-backed research released on Tuesday.

The Information Security Breaches Survey 2002, sponsored by the Department of Trade and Industry and prepared by consultancy firm PricewaterhouseCoopers, found that in small companies, 32 percent of the worst incidents were caused by insiders, but in large companies this figure climbed to 48 percent.

This is a big jump from previous research, said the authors. In the CBI Cybercrime Survey 2001, only 25 percent of organisations identified employees or former employees as the main cybercrime perpetrators, compared to 75 percent who cited hackers, organised crime and other outsiders. In the 2001 CSI/FBI Computer Crime and Security Survey, 70 percent cited their Internet connection as a frequent point of attack compared with just 31 percent who cited their internal systems as a frequent point of attack. However, the authors pointed out that it would be "premature and dangerous to assume" that the threat from outsiders has diminished.

A third of these "worst" security incidents were virus infections, but there were also high incidences of other, more deliberately targeted attacks. Forty-one percent of companies reported virus infections in the past 12 months -- nearly triple the 16 percent reported in the same survey two years ago.

"Recent high profile virus attacks (such as the Nimda and Code Red blended threats -- viruses that possess characteristics of worms, viruses and Trojans and blend these with hacking techniques) forced many UK business to shut down external connections to the Internet, and the cost in terms of lost business, staff time and downtime ran to millions of pounds," said the authors.

While hacking attacks accounted for only 14 percent of the worst incidents in the past 12 months, this figure has shot up from just 4 percent two years ago. "Any computer connected to the Internet is typically scanned several times each day," said the authors. The figures are consistent with other recent UK surveys. In the CBI Cybercrime Survey 2001, 44 percent of respondents had suffered virus attacks and 16 percent had suffered a hacking attack.

Eleven percent of companies reported that their worst incident was due to inappropriate use of systems (using email or Web browsing to access or distribute inappropriate material), and six percent said the cause was theft of information.

The survey was published to coincide with the Infosec security conference in London. A summary of the survey was released last week, but this is the first time the figures have been broken down in detail.

Most security incidents resulted in only minor costs, according to the survey, with two-thirds of the most serious incidents costing less than £10,000 to resolve. However, about 4 percent of the UK businesses surveyed said they had suffered costs of more than £500,000 following a single security incident. Two years ago, the companies reported that their worst incidents cost in the range of £20,000 to £100,000. One manufacturer, said the authors, estimated the direct costs associated with a recent virus infection to be £80,000.

Many more companies have inadequate systems in place to deal with security incidents than they did two years ago, but small companies still lag badly. Three-quarters of large companies have procedures for logging and responding to security breaches, and 75 percent have contingency plans, compared to 41 percent and 47 percent respectively for small companies.

The report offers no suggestions to help companies with the threats, but there is a simple tool that companies can use to help build procedures and contingency plans, say experts. British Standard 7799 is arguably the most widely recognised security standard in the world, and the international standard ISO 17799 grew out of it. All UK government departments have to be compliant with BS 7799 in their key business systems by 2003.

Part 1 of BS 7799 is a code of practice for information security management systems, and has been a standard since December 2000. This can be used for compliance, but because there are no auditable standards, companies cannot be certified against it.

Compliance is straightforward, according to Jeremy Ward of antivirus firm Symantec: "Part 1 of BS 7799 is only 11 pages long -- you don't need professional advice to implement it."

But Part 2, which is an auditable standard against which companies can be certified, is a lot more involved. "It is not easy," said Ward, "but there are simple steps -- don't try to swallow the whole elephant in one gulp." One place to start, said Ward, is to find people prepared to take responsibility for assets, such as a customer database. "Then you have to think about what effect there would be on the business if this disappeared for a day -- or even longer. This means risk assessment. Without that you don't get to first base."

After risk analysis has been completed, companies can ask themselves what safeguards need to be put in place. But it is not good enough to simply install a firewall, said Ward. "You have to ask yourself why you need it, and where it should go." BS 7799 is built from a pyramid of 127 controls, starting at the top with policy. "Policy needs to be backed by the board, otherwise nobody else in the company will take notice of it," said Ward. "And it has to be short -- no more than about two pages." This policy document should contain measures such as how Internet and email use is controlled. Then comes the procedures: what a company must do to underpin the policies. "Then comes technology, and finally the auditing system -- the whole thing needs to be documented and recorded."

According to ICL's principal security consultant Richard Boothroyd, only about 50 companies in the UK are certified to BS 7799. Many more are compliant, though certification is actually easier for smaller companies.

"Lots of organisations go for compliance, which is covered by Part 1 of the standard," said Boothroyd but, he added, it is still underused. "Companies do need to be much more aware of BS 7799 than they have been."

The ISBS 2002 report is available here.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.