Light Dark
November 30, 2015 By David Strom 3 min read
CISO
Data Protection

A new Intermedia Insider Risk Report showed that the biggest risk to enterprise IT security is the IT department itself. The report surveyed more than 2,000 IT workers in the U.K. and U.S. earlier this fall. The survey asked questions about whether employees would take data from their companies when they changed jobs, install personal apps on work-owned PCs or operate independently from any tech department for nonapproved purchases.

Results showed IT workers were more willing to go against policy in certain circumstances. For example, almost one-third of IT department respondents would take data if it could benefit them, compared to only 12 percent of the general population.

I am not surprised that IT is its own worst enemy here. Over the years, I’ve met many IT workers who embody this attitude. They don’t feel bound by their own security policies, best security practices or other rules that they create for their fellow employees — and that is a sad and sorry state of affairs.

Malicious insider attacks were also recently designated one of the top four cybercrime trends by IBM Emergency Response Services (ERS). So what can you do about this situation? Here are several suggestions.

Recognize Dangerous Behavior

First, take a look at this report from last year, “Combating the Insider Threat.” It gives some good advice on how to recognize potentially dangerous insider behavior, including tracking a pattern of employees who access the network during off hours, or when IT workers are supposedly on vacation or show abnormal interest in matters outside their scope of duties. They have a number of great recommendations that are very actionable. Some of my favorites include:

  • Deploy data-centric, not system-centric, security. This means you should use your intrusion detection system (IDS) to look more closely at your critical data sources and uses rather than trying to protect your firewalls or servers. Indeed, the report suggested that you “think like a marketer and less like an IDS analyst,” meaning you need to look at what information could be useful to your competitors or other outsiders.
  • Build meaningful baselines. Look at network volumes or frequency of particular recurring patterns. That way, when something abnormal happens — like your soon-to-be-ex-employee downloading 1 TB of customer database — you can actually catch it on tape.
  • Use centralized logging. Logging can detect data exfiltration near insider termination situations. We all can expend a lot of effort tracking what happens when employees are terminated or resign to make sure that their access has been revoked across all systems. Another method is to “announce the use of policies that monitor events like unusual network traffic spikes, volume of USB/mobile storage use, volume of off-hour printing activities and inappropriate use of encryption.” Even if you don’t enact initiatives in each of these areas, at least you’ve put the potential bad actors on notice.
  • Note frequent visits to sites. Frequent visits may indicate low productivity, job discontent and potential legal liabilities (e.g., hate sites or pornography). Don’t go too overboard here, but certainly keep an eye out for this kind of behavior.

Listen to the IT Department

Second, be a better listener and start looking for changes in your corporate culture, even subtle ones. Oftentimes, employee satisfaction (or dissatisfaction) originates from small things: canceling flextime, tightening benefits or micromanagement.

Finally, evaluate your own management style and take stock of recent controversial decisions, as well as why they were so contentious. Perhaps an attitude readjustment is in order to help your own department become more inclusive in its decision-making or operations.

Read the IBM Research Report: Battling security threats from within your organization

 |  |  |  | 
David Strom
Security Evangelist

More from CISO
December 30, 2024

CISO vs. CEO: Making a case for cybersecurity investments

4 min read - Ask CISOs why they think there is a cyber skills shortage in their organization, what keeps them up at night or what the most important issue facing the industry is — at some point, even if not the first response, they will bring up budgets.For example, at RSA Conference 2024, a roundtable discussion about issues facing the cybersecurity industry, one CISO stated bluntly that budgets — or lack thereof — are the biggest problem. At a time when everything is…

December 13, 2024

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

December 11, 2024

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature