Survey: Insider threats haunt security execs

While many organizations focus their security efforts on mitigating the threats posed by external actors, some of their greatest risks come from within in the form of insider threats. From acts of violence to intellectual property theft, malicious insiders are of one the risks that keep security executives up at night and new research shows that companies are struggling to keep pace with the threat.

According to a recent survey, sponsored by post-hire screening services provider Endera and conducted by Vanson Bourne, of 200 security executives at firms with more than 1,000 employees, companies, on average, were found to suffer at least three workforce-related incidents a week. More than half (55 percent) of the respondents reported that their organization struggles to limit the number of workforce-related security incidents and 44 percent said they were not aware of any potential workforce or personnel issues prior to an incident. Additionally, nearly 40 percent of those polled reported that their workforce had lost confidence in the organization’s ability to keep them safe.

An overwhelming majority of survey respondents (87 percent) reported that contractors/freelancers are most likely to be the cause of a workforce-related security incident at their company, while two-thirds (64 percent) said that supply chain/third-party vendors were the most likely cause. For the purposes of the survey, Endera COO Steve Izurieta said the definition of “workforce-related security incidents” was kept broad and could range from major events impacting life safety and brand reputation to smaller incidents that could be mitigated with a simple conversation with an employee.

Among the top risks that security executives said their organizations were concerned about include, device theft or loss (86 percent), fraud (80 percent), cybersecurity threats (74 percent), and workplace violence and threats (55 percent).

Despite the concerns that companies expressed about workforce-related security incidents, Izurieta said they were surprised at how many organizations fail to do any sort of post-employment screening of its employees. In fact, according to the survey, while 75 percent of respondents said their organizations conduct background checks prior to employment, only 48 percent reported that these checks continue on a periodic basis.
“These were large organizations… and less than half of them are doing anything after the initial hire,” Izurieta adds. “They may do something if there is an incident but that’s an investigation versus an understanding of risk. They’re not doing anything, so that’s a lot of risk that is not being evaluated and therefore mitigated. A focus on that insider threat is really needed.”