Internal IT Threats in Europe 2006

Introduction from the CEO

On behalf of InfoWatch, I welcome you to our – and the world’s – first-ever annual study on the problems of internal IT security in Europe. Our findings are based on surveys we conducted with a range of middle- and upper-tier IT management professions from 410 companies across Europe.

Europe’s IT professionals expressed a range of concerns on the subject, with theft by company insiders occupying pole position – concerns we have found they share with their colleagues both in the US and here in Russia.

Data leakage is a new kind of enemy. It will be many years before the problem is completely understood, systems developed and fully incorporated into the workplace. But as a society, a business community and an industry, things are clearly moving in the right direction.

Whereas the public’s attention was previously directed towards virus epidemics and hacker attacks, it is now shifting to the more relevant problem of safeguarding information resources from internal attack. Of course, an integrated technological solution is only one part of the overall solution. But without it, factors such as employee training and a cogent internal security policy can never be enforced or even shown to be effective. Now that a broader base of corporate clients appreciates this, the market for specialized IT security systems is taking shape.

Data on the real number of information leaks in Europe over a given period has not always tracked reality. The EU¹ – unlike the US – has had no directives requiring the mandatory notification of victims in cases of data breach, and companies have been slow at times to initiate notification procedures.

The reasons are not difficult to appreciate. It is natural that company management would fear the major costs – both financial and in terms of lost reputation – which accompany a data leak. And rather than initiate costly procedures against themselves, some have opted to hope that the problem will just go away, especially in the typical case of a lost or stolen laptop. Here, it is tempting to hope that those in possession of it will not appreciate the potential value of the unencrypted data it contains. Such a policy of avoidance can result in hefty losses for those whose data is held on the computer and who become victims of identity theft as a result.

Many companies have, of course, been proactive in dealing with such leaks, notifying those affected, setting up advice hotlines, providing bank account monitoring and bringing in the law-enforcement agencies.

But while, to date, admissions of data leakage across the EU have relied on companies choosing to make that information public – a decision which has depended on how the company perceives its best interests in the circumstances – that may soon change.

The EU is discussing a directive² which will oblige companies to inform those affected within a set period. If passed, it will add a further layer of consumer protection (albeit after the fact) to issues of data leakage, and lead to greater transparency on an issue which can affect any one of us at any time. In Britain, meanwhile, the Financial Services Authority³ (FSA) is involved in moves which would empower it to order all regulated financial companies to immediately inform customers of data security breaches.

While we welcome the growing appreciation among IT managers of the importance of viable preventative solutions to internal information security, we look forward to being able to share with our partners and clients the clearer picture of data leakage across Europe that the proposed EU directive will stimulate.

Key conclusions

• Europe’s IT professionals overwhelmingly indicate (78%) that data theft represents the primary information security threat – more significant than either viruses or hacker infiltration
• Of all possible results of compromised information security, the threat of leakage of confidential information is keeping more members of the IT department (93%) awake at night than any other
• Europe’s primary data leakage channels are identified as portable storage devices, e-mail, and Internet-based channels such as web-mail and forums
• Only 11% of those surveyed were confident their company’s information security had not been breached over the last year – a figure which closely mirrors the number of companies with anti-leakage solutions in place – with 42% admitting to between 1-5 breaches and 37% unable to say with certainty that that no breach had occurred
• The lack of industry standards is highlighted as the primary obstacle (42%) to wider implementation of anti-leakage technologies
• Perceived solutions include the deployment of comprehensive anti-leakage software, the implementation of appropriate organizational measures – such as clear and consistent internal security policies – controls on external network access, and raising staff awareness and discipline through training

Methodology

The survey was conducted by the InfoWatch Analytical Center and included detailed responses from 410 companies between January 2nd and March 2nd 2007.

Responses were collated from:

• Visitors by European IT trade exhibitions attended by InfoWatch
• Seminars and conferences organized by InfoWatch and its partners
• Personal and telephone interviews with representative IT professionals from companies
• E-mail correspondence with representative IT professionals from companies

In all cases, the respondents answered a set number of questions according to consistent rules. Upon conclusion of the survey, we offered respondents the opportunity to comment freely on the topic which concerned them most.

Statistical processing and results analysis were carried out by the InfoWatch Analytical Center. Percentages are rounded off to the nearest one percent.

Note: Total percentages for some answers exceed 100% due to the use of multiple-choice questions.

Respondent profile

As with all our surveys and research papers since 2004, the respondents were all managers or senior employees specializing in IT and information security. The survey respondents themselves, their responsibilities and their companies’ area of work were chosen to reflect a broad representation of European industry. And all those who took part are responsible for decision-making in the area of corporate data systems development.

The majority (67%) of the respondents’ companies (Fig. 1) has between 500-5000 employees and 78% have between 100-5000 workstations on site.

These two indicators taken together show that our survey was drawn predominantly from medium-sized and larger medium-sized companies.

We approached (Fig. 3) a broad swathe of companies in terms of business activity.

All our survey respondents were directly involved in IT and information security issues, with upper-tier managers making up 67% of the total.

The sheer number of specialists within large and medium-sized companies who answer for the security of information indicates how the problem is increasingly being taken seriously. Undoubtedly, this is a very positive trend because data protection plays a key role in the stable development of any organization.

Meanwhile, small businesses are still working without information security specialists, and in some cases they have no full-time IT specialist at all. These organizations prefer to outsource their IT work to contractors or to ignore it altogether and deal with any problems as they arise as best they can.

IT threats in Europe

Clearly, the greatest IT threats are perceived (Fig. 5) as data theft (78%) and employee negligence (65%). This fact is significant, given that in many cases the two events are connected. Let us take a typical case of data theft where a laptop with unencrypted data is stolen from the vehicle of an employee or from an office. Had the employee not been negligent in applying the company’s information security policy of encrypting sensitive data, the loss would have been no more dramatic than the cost of a replacement laptop. And the laptop would, in all likelihood, have been insured in any case.

Viruses (49%) – which can be characterized as ‘background’ threats (i.e. they are typically not directed at a specific company and a generalized inconvenience affecting all, like bad weather) – occupy the centre ground. Hackers (41%) are seen as the highest-rated outside threat of a personal and motivated nature.

It is interesting to see hackers regarded now as only a moderate threat by genuine IT professionals given the widespread acceptance of their supposedly ubiquitous powers by the general public.

We note that sabotage (15%) is on the radar, though not to the extent one might expect. Whereas the amount of damage a disgruntled employee can cause to a company may potentially far exceed that of even a motivated outsider (such as a hacker), the perception still lags behind the reality.

We are able to provide further insights by taking the findings from the previous survey item and dividing it into two basic categories – internal threats and external threats.

• External threats:
  • Viruses
  • Hackers
  • Spam
• Internal threats:
  • Data theft
  • Sabotage
  • Negligence
  • Fraud

We excluded the threat of hardware or software failure from the equation since it did not properly fit with the point of establishing threats of an intentional nature (by either commission or omission) from within and without. We then calibrated the findings to account for this change. We included data theft among internal threats since it occurs most frequently as the result of insider activity. Insiders are acquainted with company documents and are best placed to understand what information has potential value.

It is interesting to see that the perceived threat of internal security breaches among those personally responsible for IT security is greater than that of hackers, viruses and spam altogether.

The problem lies in the fact that it is much harder to protect against internal threats than against viruses where all one needs to do is install an effective antivirus package. Internal threats require more. It is a multi-faceted – but at the same time, completely solvable – problem.

Internal threats

We have seen that the major information security threat to a company comes – potentially at least – from the people who work there. That being the case, it makes sense to look at how insider threats in Europe break down.

Many internal threats are connected with each other. For example, fraud requires the distortion of sensitive information – typically, financial reports – and sabotage invariably results in the leakage of confidential information or data loss.

However, the predominance of confidential information leakage in the minds of European IT managers and executives as the leading issue firmly indicates the lack of fully integrated solutions covering this base.

Confidential information leaks

Given that a confidential information leak at the hands of insiders is the greatest information security threat, we asked our survey participants to identify the most serious consequences for their company from such a leak.

Cases of confidential information leak are legion and the costs associated with one are well known. For example, the annual bank account monitoring costs per annum for even an average leak of 50,000 would be a minimum of 5,000,000 USD. And there are many other costs besides.

Nevertheless, direct financial costs were adjudged to be far less significant than the damage to reputation and loss of customers arising from a leak. Such an assessment indicates understanding among European IT professionals of the long-term damage such a leak can cause to a company’s underlying viability.

Next, the InfoWatch Analytical Center asked about the most common channels used by insiders to leak information from within a company.

Portable storage devices such as USB flash drives or backing-up onto a laptop were seen as the primary channel. However, Internet-based channels such as e-mail, instant messaging services, web-mail and forums were individually key causes for concern, and collectively the largest.

Of particular interest is the rating received for printers (54%). Further individual questioning of respondents revealed that some of those companies with cogent IT-security systems in place – based on either electronic data technology which filters outgoing traffic or controls on access to internal networks – still had concerns about printers. Data which they copy is neither filtered nor is it subject to network regulations. Such printers are an open door – and European IT managers understand this – and as such they are especially attractive to insiders as a means of purloining internal data.

We now turn to the question of the number of confidential information leaks over the last twelve months (Fig. 10).

We see that only 11% were able to say with confidence that none had taken place. Later in this report (Fig. 13) we find that this is close to the 16% of companies which currently have anti-leakage solutions in place. Meanwhile, the fact that 42% admit to having had between 1-5 leaks in the last year provides food for thought on two counts.

Firstly, it makes the need for the kind of legislation the EU is currently considering all the more urgent since, on the basis of this sample, the undisclosed leakage across Europe is widespread.

Secondly, is shows how woefully disconnected even the picture of frequent leaks we see in the press is from the underlying reality, and how data on the subject only really describes the tip of the iceberg.

Regulation

Our survey then turned to the question of whether organizations in the EU should be obliged by law to notify people in the case of personal data being compromised (Fig. 11).

Almost 70% felt that there was either a severe or probable need; and this not from consumer rights organizations, but from people with much to lose professionally in the event of a leak becoming public knowledge.

Over 50% of IT professionals felt that EU legislation should require organizations to protect the personal data it holds from insiders.

And while the costs of implementing a fully integrated anti-leakage solution are negligible compared with the colossal costs – direct and indirect – which such leaks entail, such legislation would certainly strengthen IT managers’ hand to more forcefully argue the need for such a solution to other members of the management team.

Means of defense

We turned next to the question of information protection systems companies have in place.

Anti-virus, firewall technologies and access controls on workstations were, understandably, the norm. The rise in the use of virtual private networks (VPN) – a private communications network often used by companies or organizations to communicate confidentially over a public network – was of particular interest. It means that companies are taking their network security seriously way beyond the confines of the intranet.

Anti-leakage systems are lacking across the board with less than one in six companies having a proper system in place. So what is preventing companies from buying in proper data defense systems (Fig. 14)?

Leading the pack we have lack of standards (42%). This figure is augmented by the perception that no technological solution exists (12%), and lack of skilled specialists (29%). The fact is that anti-leakage technology does exist – even though, evidently, not everyone knows about it – but it is still a relatively new field. And as such, it has yet to develop across-the-board standards. Many European IT managers are simply biding their time until the market matures and cut-and-dried market-wide protocols are in place.

By standards we mean not only procedural norms or staff recommendations, but an entire, integrated approach to dealing with internal security issues. In the absence of such a range of standards covering each aspect of a multifaceted approach, managers find it difficult to justify the cost of buying in dedicated solutions or assigning a portion of their budgets to on-going implementation costs. In addition, other factors can make this a difficult issue for managers to decide on. The high number of suppliers with fundamentally different products in this area – all with their own particular strengths – can make it particularly tough to compare products and opt for one.

Despite their concerns about unified standards, the fairly even spread of opinion among European IT managers and specialists as to the best way to fight insider information leakage (Fig. 15) demonstrates that they realize that while technological solutions are part of the answer, they cannot stand alone without proper organizational procedures, training, and other security measures.

We turn now to the future. We are all agreed there is a problem. Let’s see what means companies are planning – if any – to use to deal with it.

We see here (Fig. 16) that, despite concerns about standards, a full third of managers expect to have comprehensive monitoring systems in place in the next three years. It may be that they expect the issue of standards to be sufficiently resolved in that time so as to allow them to buy in a solution with confidence. Alternatively, the pressure on companies to protect their data from insiders may simply become so great – due to further spectacular leaks or simple outside legislation – that managers will feel that their companies have no option but to bite the bullet and buy in a solution.

There is a clear acknowledgement of the role the Internet plays as a key leakage channel, with a full 42% intending to plug in technological solutions on that front.

Open question

At the end of each interview we asked European IT managers to give us their full view on any aspect covered by the survey. Here, they again voiced their concern about the absence of a unified internal security approach. In the real world, this hampers the process of opting for a specific solution. Naturally, solution suppliers emphasize their products’ benefits, but the lack of unified standards makes comparison with competitors very inexact.

In addition, there is the issue of budget planning. One respondent put it like this: “We all know how to deal with viruses. You install an antivirus package on the gateways and workstations, and then you can work out how much the licenses will cost over time. It’s that simple! But protection from insiders is different. Each solution supplier has its own view on how best to set up an internal security system. And even among colleagues you find disagreement on this issue.”

Despite these concerns, respondents found that a consensus is beginning to form. This is primarily due to the fact that organizations never cease expanding the number of business communication channels they use: E-mail, Internet, instant messaging services, printed materials, various wireless networks, new network protocols and software. In an environment of ever-expanding means of communication, it is logical that internal security systems not be channel-specific, but provide a scalable solution into which new channels can be assimilated.

With the legislative proposals currently under review by the EC in Europe and the FSA in Britain to oblige companies to immediately inform customers of data security breaches, we see a further step along the road towards confluence, synthesis and consensus on the question of how best to formulate standards on this vital issue.

Conclusions

This report provides the benchmark in pan-European data from IT and information security specialists on the issue of the threat of confidential information leaks. It provides a much-needed platform from which, in future years, we be able to measure tendencies on this issue across the continent.

It shows that, at present, internal data threats (55%) are regarded as more dangerous than external threats (45%) such as hacker attacks or virus infection. The core internal concerns are the theft of confidential information by insiders and employee negligence.

Respondents are acutely concerned about the damage to a company’s reputation and the loss of customers as the result of a leak, with these two issues combined outweighing concerns about direct financial loss by a ratio of 5:1.

We see that 16% of companies have a confidential information protection solution in place with a further 32% planning to implement solutions in the next three years.

We expect the expected confidential data legislation in the EC and by the FSA in Britain to have a galvanizing effect on the pace of fully integrated solution implementation.

---

¹ Existing EU law requires only that customers be generally notified about security risks, but not about specific instances in which a security breach has occurred. Commission staffers remarked in a June 29 report that a security breach notification requirement “would create an incentive for providers to invest in security without micro-managing their security policies”.

² Brussels, 28 June 2006 SEC(2006) 816, COMMISSION STAFF WORKING DOCUMENT COMMUNICATION FROM THE COMMISSION TO THE COUNCIL, THE EUROPEAN PARLIAMENT, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS on the Review of the EU Regulatory Framework for electronic communications networks and services {COM(2006) 334 final}.

³ The Financial Services Authority (FSA) has the power already to order all regulated financial companies to immediately inform customers of data security breaches. It backs notification in almost all cases, but a blanket rule has yet to been laid down.