In-Depth

Survey Says Insider Theft Tops CIO's Worry List

Why the threat of theft-from-within is keeping enterprise CIOs up at night

• By Stephen Swoyer
• 06/03/2008

A majority of North American IT chiefs view theft-from-the-inside as a much greater threat than theft-from-without, according to a new survey from Secure Computing Corp., an enterprise gateway security provider.

Insider threats -- stemming from intentional and unintentional data leaks -- are keeping many IT chiefs awake at night, with fully 80 percent of respondents citing theft-from-within as their number one security issue overall.

A few caveats: Secure Computing's survey sample size -- of 103 CIOs at U.S. companies -- is small, and Secure Computing (as a purveyor of gateway devices designed to both keep the bad guys out and protected content in) does have a dog in the race. Nonetheless, its survey data does raise some provocative issues as well as explode a few popular myths.

Less than one in five (17 percent) CIOs say they're more concerned about external than internal threats, and more than one-third (37 percent) of respondents acknowledged that their organizations had experienced the loss or theft of sensitive information over the last 12 months.

Surprisingly -- or not, depending on your point of view -- a plurality of respondents (34 percent) cited e-mail as their number one security concern. This was followed by Voice over IP (VoIP) leakage or theft (cited by one-quarter of respondents) and is even deemed a more substantive threat than unsanctioned Web surfing, which only 21 percent of IT Directors say is a top priority.

Likewise, Secure Computing indicates, CIOs aren't sure what to make of Web 2.0-related security concerns. In such cases, they're more likely to cite damage from external threats (e.g., malicious Web 2.0 services or gadgets) as a bigger danger than Web 2.0-related spam or -- interestingly -- the potential loss or theft of data from Web 2.0 applications.

Where hackers are concerned, CIOs don't have hackers on the brain: fewer than a quarter of respondents cite hacking or hackers as the biggest overall security threat facing their organizations.

Instead, more than half of respondents cited malware as their biggest concern.

Not surprisingly, CIOs are throwing money at their anxieties, directing the bulk of their security-related IT spending to shoring up internal safeguards.

More than one-third of chiefs cite internal security as their primary area of IT spending, while -- shockingly, given the current state of the economy -- CIOs say spending to improve IT asset management is actually lowest on their priority lists. (Asset management-related spending typically spikes during periods of economic uncertainty.)

Elsewhere, Secure Computing claims, IT security itself is undergoing a perceptual shift of sorts: only 11 percent of respondents say their boards perceive security spending as a "necessary evil." Almost 90 percent see security-related spending as "at least as important" as other kinds of IT spending.