The main reason that happens is because companies don't have the resources to tackle the issue, according to the National Survey on Managing the Insider Threat, sponsored by ArcSight Inc., an enterprise security management company in Cupertino, Calif. Ponemon Institute surveyed 461 people who work in corporate IT departments in U.S. organizations.
"We found that many of the respondents in our study found that it was difficult, if not impossible, to identify all data breaches that exist -- and over 79 percent of the respondents said one, if not more, insider-related security breaches at their companies go unreported," said Larry Ponemon, chairman of the Ponemon Institute. "Because it's insider-related normally, involving a careless or negligent employee not an evil employee, maybe they are more likely to go unreported because people know each other and maybe because people know each other, they say it was a mistake and maybe in the future they'll fix it."
Lack of resources and leadership makes it difficult to address the insider threat, said Ponemon, who is also a columnist for Computerworld.
Approximately 93 percent believe that the no. 1 barrier to addressing the data breach risk is the lack of sufficient resources, and 80 percent cited a lack of leadership, he said. Another factor is the fact that 31 percent of respondents said that no one person has overall responsibility for managing insider threats, according to Ponemon.
The respondents said they devote a considerable amount of their efforts trying to prevent or control insider threats as part of their company's IT security risk management program. Approximately 10 percent said they spend more than half of their time on insider-related risks and about 55 percent of respondents said they spend more than 30 percent of their time dealing with those issues, according to the survey.
"The effort should be focused on things that cause the most heartburn," Ponemon said, noting that while information security practitioners are spending a lot of time on insider threats they are generally doing so after the fact.
Ponemon said that careless or negligent employees represent the highest risk to companies who took part in the survey. In contrast, system administrators and other privileged users represent a much lower insider risk to organizations, he said.
According to the respondents, the average cost of the insider threat is about US$3.4 million per year and the estimated amount that the company's management spends to manage such threats is less than $1 million. That suggests that companies are under-funding the management of insider-related risks and vulnerabilities, he said.
According to the survey, more than 61 percent of the respondents said that accidental data leaks occur "frequently" or "very frequently" because employees or contractors lack sufficient knowledge about preventative measures or because employees or contractors are careless; Almost half of respondents, or 48 percent, claimed that corporate sabotage, such as the deliberate destruction of IT equipment, occurs "frequently" or "very frequently" because employees or contractors are malicious or disgruntled.