Cyber Security Institute

Monday, April 16, 2007

Internal IT Threats in Europe 2006

InfoWatch and the world’s—first-ever annual study on the problems of internal IT security in Europe.  The findings are based on surveys InfoWatch conducted with a range of middle- and upper-tier IT management professions from 410 companies across Europe.  The EU1—unlike the US—has had no directives requiring the mandatory notification of victims in cases of data breach, and companies have been slow at times to initiate notification procedures.  It is natural that company management would fear the major costs—both financial and in terms of lost reputation—which accompany a data leak.  And rather than initiate costly procedures against themselves, some have opted to hope that the problem will just go away, especially in the typical case of a lost or stolen laptop.  Such a policy of avoidance can result in hefty losses for those whose data is held on the computer and who become victims of identity theft as a result.  Many companies have, of course, been proactive in dealing with such leaks, notifying those affected, setting up advice hotlines, providing bank account monitoring and bringing in the law-enforcement agencies.  But while, to date, admissions of data leakage across the EU have relied on companies choosing to make that information public—a decision which has depended on how the company perceives its best interests in the circumstances—that may soon change.  While InfoWatch welcomes the growing appreciation among IT managers of the importance of viable preventative solutions to internal information security, InfoWatch looks forward to being able to share with their partners and clients the clearer picture of data leakage across Europe that the proposed EU directive will stimulate.

Key conclusions
- Europe’s IT professionals overwhelmingly indicate (78%) that data theft represents the primary information security threat – more significant than either viruses or hacker infiltration
- Of all possible results of compromised information security, the threat of leakage of confidential information is keeping more members of the IT department (93%) awake at night than any other
- Europe’s primary data leakage channels are identified as portable storage devices, e-mail, and Internet-based channels such as web-mail and forums
- Only 11% of those surveyed were confident their company’s information security had not been breached over the last year – a figure which closely mirrors the number of companies with anti-leakage solutions in place – with 42% admitting to between 1-5 breaches and 37% unable to say with certainty that that no breach had occurred
- The lack of industry standards is highlighted as the primary obstacle (42%) to wider implementation of anti-leakage technologies
- Perceived solutions include the deployment of comprehensive anti-leakage software, the implementation of appropriate organizational measures – such as clear and consistent internal security policies – controls on external network access, and raising staff awareness and discipline through training.

http://www.viruslist.com/en/analysis?pubid=204791935