Article Commentary: Human Error the Leading Cause of Security Threats

I thought it was important to mention this concept as it is also a major point in the Security Awareness presentations that I do. Where my opinion differs is that I believe that human error is the leading cause of *insider* security threats, but not the leading cause of all security threats.

Perhaps I am being myopic because of the type of company that I work for, but I view intrusion as the result of public server vulnerability, virus infection, and social engineering to be a much larger issue.

That isn't however to take away from the importance of the insider threat. When I say "insider threat" am I referring to employees who are going out of their way to do something malicious or to try to access data that they know they shouldn't have access to? Yes, but I am also referring to employees to who stumble upon information due to lack of proper security controls or the maintenance thereof. For example, if you work in your Customer Support department and happened to stumble upon a spreadsheet named "Executive Salaries 2008.xls" somewhere out on a network share, that you had permission to view, would you open it? Perhaps you would report it, but I'll bet you a nickel that you would look at it first, maybe save a copy for yourself, or print it out on the closest printer to show your friends. These are examples of insider threats just as much as the over-eager security novice who is attempting cross site scripting attacks against your production systems in an attempt to learn.

According to the 2006 E-Crime Watch Survey insiders were responsible for 27% of all security incidents and 55% of respondents reported at least one incident that was the result of insider activity. That's more than 1 in 4 security incidents that happen as a result of an internal employee! That's a lot, especially in an age where most of what you read about in security publications talks about the latest worms, keyloggers, and other maladies looking to steal your financial data.

The article also states that "Another security worry is many line-of-business executives' tendency to see information security as solely IT's problem." If your company puts the responsibility of security solely with the IT department, they are missing the boat. Security should not rest with IT for the same reasons that it should not rest with Production Operations or Quality Assurance or any other department; they have their own agendas and their own core competencies to focus on. Adding "make sure we are secure" to that mix is a certain recipe for failure. Your security program implementation, maintenance, and enforcement should be handled by an independent (could be internal) source whose *main responsibility is the security program*.

The article concludes by making a statement in regards to the implementation of a corporate security program, "A prerequisite for effective information security is the implementation of a proactive information security strategy that is closely linked to the company's overall business strategy, business requirements, and key business drivers." This is completely true. One thing I would add onto it is "...and has the full support of the company's executive team." Without the support of the people who run the company, your program will barely get off the ground.