Majority of IT pros don’t see senior management taking enough responsibility for insider threat

More than half of IT professionals (57%) believe their organisation’s senior management does not take enough responsibility for internal security, according to new research from IS Decisions.

Currently, the IT department (80%) takes responsibility for insider threat in nearly twice as many organisations as the C suite (43%) does.

And while security budgets have grown by about a third over the last year, the average amount apportioned specifically to internal security accounts for just 3.6% — despite the increasing potential risks.

However a majority of 68% of IT professionals expect budgets on internal security to grow significantly within their organisation and 67% stated they plan to look at specific tools, technology and data to help tackle insider threat, highlighting further the need for senior involvement.

The findings are part of research revealed in IS Decisions’s new report User security in 2015: the future of addressing insider threat, based on a survey of 250 IT professionals in the UK and 250 in the US.

The senior executives’ worrying lack of support and awareness on insider threat comes after a year of high-profile breaches at major companies like eBay, Target and JP Morgan where lax internal security played a part.

As a result, 37% of organisations across the UK and US are planning an insider threat programme this year, driven mostly by the IT department.

IT pros are also craving guidance on mitigating insider threat from outside of the company, with 91% believing that industry-wide collaboration is needed and 78% wanting clearer guidelines on tackling the issue.

François Amigorena, CEO of IS Decisions, commented, “Senior executives need to wake up to the reality that is insider threat. For good reason, 2014 has been dubbed by many as the ‘year of the breach’, and no company is safe — no matter how large or small.

“We have seen the most senior people in organisations like Target pay the price of poor security practices by losing their jobs, showing just where the responsibility should lie now and what kind of penalties can ensue.

“While IT professionals are clearly very much taking heed of what they’re seeing, C-level personnel must also be on board if 2015 is to be the ‘year of tackling insider threat’”.

The report is available to download via IS Decisions’s website: User security in 2015: the future of addressing insider threat