Understanding the Threat of Insider Misuse
This according to the Computer Economics study Insider Misuse of Computing Resources, which analyzes 14 forms of insider misuse in detail. The study shows a number of ways that violation of an organizations acceptable use policy may result in harm. Making insiders aware of these threats is an important part of mitigating the risk of insider misuse as we discuss later in the full study.
A sister report, Malicious Insider Threats, addresses threats where the insider intends to harm the organization or acts in a purposeful way that threatens the organizations interests. There is sometimes a fine line between malicious intent and mere misuse. For example, an employee downloading music or video files to a desktop computer would not usually be doing so with intent to harm the organization. But if the files being downloading are pirated, the employee is putting the organization at risk.
Furthermore, if the employee is using a peer-to-peer file-sharing program to download music, his behavior could inadvertently give outsiders access to confidential files on the computer. The employee may not intend to harm the organization, but his actions put the organization at risk.
Nevertheless, we find it useful to separate threats from insider misuse from threats by insiders with malicious intent. Furthermore, many of the countermeasures against insider misuse are also useful to counter malicious insiders.
How Serious Is It?
Before delving into our analysis of each threat, it is useful to examine them in total. For this analysis, we look at all types of insider misuse and rank them according to the perceived seriousness of each threat. In our survey, we asked respondents to rate the seriousness of each category of insider misuse as no threat, a minor threat, moderate threat, or major threat. We recognize that the word seriousness has no formal definition in risk management. Typically, risk management professionals quantify risks by their severity (potential harm) and the likelihood of experiencing an incident within a given time frame.
However, because many forms of insider misuse are not readily quantifiable, we use the word seriousness to gauge how concerned IT security professionals are with each threat. We believe the seriousness level provides a useful measure of the perceived importance of each threat, while being mindful that perception and reality are not always consistent.
In assessing the seriousness of each category, we asked respondents to consider all forms of potential damage to the organization, such as effect on system availability or integrity, network performance, legal liability, disclosure of confidential information, loss of worker productivity, and damage to the organization's reputation. In addition, we asked respondents to evaluate these threats without consideration of any countermeasures their organizations were taking to deter misuse.
Interestingly, the 14 categories of insider misuse fall into two distinct groups. The first eight categories form one group, where at least 40% of our respondents view each as a major threat. The first group includes:
Unauthorized copying of files to portable storage devices;
Downloading unauthorized software;
Use of unauthorized P2P file-sharing programs;
Remote access programs;
Rogue wireless access points;
Downloading of unauthorized media; and
Use of personal computing devices for business purposes.
What do these forms of misuse have in common? They all pose a threat primarily in terms of loss of information, security breaches, and legal liability. For example, unauthorized copying of files is a threat as it may lead to loss of confidential information. An employee using his own laptop for business purposes may inadvertently take confidential information home at night or retain this information when he leaves the organization. Downloading unauthorized software or using P2P programs may introduce malware into the organization, leading to theft of information or loss of system availability. It is not difficult to envision the seriousness of the threats that these forms of misuse pose to the organization.
There is a significant gap between this first group and the bottom six categories. Only 25% or fewer of our respondents considered these as major threats. This group includes:
Unauthorized blogging or participating in message boards concerning the organizations business;
Instant messaging using personal accounts;
Non-work-related Web browsing; and
Using the organizations email system for personal matters.
The forms of misuse in this second group are perceived as less serious threats than those in the first group. The perceived threat in the second group is primarily loss of worker productivity. One may argue that some of these forms of misuse also lead to loss of confidential information. For example, an insider blogging about the organizations business without authorization could disclose trade secrets. Or an insider using a personal instant messaging account through the corporate network could introduce malware into the organization. Nevertheless, our respondents do not view these forms of misuse as being as serious as those in the first group. Whether these forms of misuse should be treated more seriously is a subject for analysis in the full report.
Sample of Key Findings
The points below summarize some of the findings of the full study:
Unauthorized copying of files to portable storage devices is the most serious threat and a major source of information leakage from organizations. The majority of organizations categorize it as a major threat, yet approximately one-third make no attempt to deter such activity.
Downloading unauthorized software is a close second in perceived threat level, and nearly 90% of organizations have policies forbidding this activity.
Unauthorized P2P file-sharing programs are considered a major threat by more than half of organizations, but one-quarter make no mention of P2P programs in their acceptable use policies.
Use of unauthorized remote access programs and services round out the top four perceived threats, with 17% reporting widespread violations of policy.
Downloading of unauthorized media content such as video and music is not judged as serious as the preceding four threats. The majority of organizations nevertheless give verbal warnings to insiders that violate organizational policy against unauthorized downloading.
Unauthorized authorship of blogs concerning the organizations business is not addressed in the policies of most organizations. Similarly, most organizations make no attempt to deter insiders from making unauthorized postings to message boards concerning the organizations business.
More than one-third of organizations have no policy concerning instant messaging using personal accounts.
The majority of organizations view use of personal email accounts from within the corporate network to be a moderate or major threat, but 29% either have no policy or take no action when policy violations are detected.
More than half of organizations consider non-work-related Web browsing to be a moderate or major threat, but one-third explicitly allow insiders to browse the Web from within the corporate network. This may be because the majority of companies have specific controls in place to monitor or block inappropriate web browsing, though there are significant variations in the types of sites restricted.
More than half of the study respondents view use of business email for personal matters as a moderate or major threat, but one-third do not address this behavior in their acceptable use policies or make any attempt to deter it. Nearly half of all organizations report widespread violations of corporate policy.
To deter or detect insider misuse, most organizations have email monitoring policies in place, and the majority of organizations examine insider computer files or monitor insider Internet traffic when misuse is expected. Few log insider keystrokes, however.