The main reason that happens is because companies don't have the resources to tackle the issue, according to the National Survey on Managing the Insider Threat, sponsored by ArcSight Inc., an enterprise security management company in Cupertino, Calif. Ponemon Institute surveyed 461 people who work in corporate IT departments in U.S. organizations.
"We found that many of the respondents in our study found that it was difficult, if not impossible, to identify all data breaches that exist -- and over 79 percent of the respondents said one, if not more, insider-related security breaches at their companies go unreported," said Larry Ponemon, chairman of the Ponemon Institute. "Because it's insider-related normally, involving a careless or negligent employee not an evil employee, maybe they are more likely to go unreported because people know each other and maybe because people know each other, they say it was a mistake and maybe in the future they'll fix it."
Lack of resources and leadership makes it difficult to address the insider threat, said Ponemon, who is also a columnist for Computerworld.
Approximately 93 percent believe that the no. 1 barrier to addressing the data breach risk is the lack of sufficient resources, and 80 percent cited a lack of leadership, he said. Another factor is the fact that 31 percent of respondents said that no one person has overall responsibility for managing insider threats, according to Ponemon.
The respondents said they devote a considerable amount of their efforts trying to prevent or control insider threats as part of their company's IT security risk management program. Approximately 10 percent said they spend more than half of their time on insider-related risks and about 55 percent of respondents said they spend more than 30 percent of their time dealing with those issues, according to the survey.