Understanding the Threat of Insider Misuse

There is a significant gap between this first group and the bottom six categories. Only 25% or fewer of our respondents considered these as major threats. This group includes:

  • Unauthorized blogging or participating in message boards concerning the organization’s business;

  • Instant messaging using personal accounts;

  • Non-work-related Web browsing; and

  • Using the organization’s email system for personal matters.

The forms of misuse in this second group are perceived as less serious threats than those in the first group. The perceived threat in the second group is primarily loss of worker productivity. One may argue that some of these forms of misuse also lead to loss of confidential information. For example, an insider blogging about the organization’s business without authorization could disclose trade secrets. Or an insider using a personal instant messaging account through the corporate network could introduce malware into the organization. Nevertheless, our respondents do not view these forms of misuse as being as serious as those in the first group. Whether these forms of misuse should be treated more seriously is a subject for analysis in the full report.

Sample of Key Findings

The points below summarize some of the findings of the full study:

• Unauthorized copying of files to portable storage devices is the most serious threat and a major source of information leakage from organizations. The majority of organizations categorize it as a major threat, yet approximately one-third make no attempt to deter such activity.

• Downloading unauthorized software is a close second in perceived threat level, and nearly 90% of organizations have policies forbidding this activity.

• Unauthorized P2P file-sharing programs are considered a major threat by more than half of organizations, but one-quarter make no mention of P2P programs in their acceptable use policies.

• Use of unauthorized remote access programs and services round out the top four perceived threats, with 17% reporting widespread violations of policy.

• Downloading of unauthorized media content such as video and music is not judged as serious as the preceding four threats. The majority of organizations nevertheless give verbal warnings to insiders that violate organizational policy against unauthorized downloading.

• Unauthorized authorship of blogs concerning the organization’s business is not addressed in the policies of most organizations. Similarly, most organizations make no attempt to deter insiders from making unauthorized postings to message boards concerning the organization’s business.

• More than one-third of organizations have no policy concerning instant messaging using personal accounts.

• The majority of organizations view use of personal email accounts from within the corporate network to be a moderate or major threat, but 29% either have no policy or take no action when policy violations are detected.

• More than half of organizations consider non-work-related Web browsing to be a moderate or major threat, but one-third explicitly allow insiders to browse the Web from within the corporate network. This may be because the majority of companies have specific controls in place to monitor or block inappropriate web browsing, though there are significant variations in the types of sites restricted.

• More than half of the study respondents view use of business email for personal matters as a moderate or major threat, but one-third do not address this behavior in their acceptable use policies or make any attempt to deter it. Nearly half of all organizations report widespread violations of corporate policy.

• To deter or detect insider misuse, most organizations have email monitoring policies in place, and the majority of organizations examine insider computer files or monitor insider Internet traffic when misuse is expected. Few log insider keystrokes, however.