Security experts have turned the notion that so called “malicious insiders” are the biggest cyber security threat for companies on its head.

The security vendor RSA revealed that the majority of breaches are actually caused unintentionally by employees.

Its survey showed that firms believed 52% of incidents were accidental and 19% were deliberate.

“Unintentional risk gets overlooked, yet it’s the most serious threat to business,” said the RSA’s Chris Young.

“The sexy incident where someone gets arrested for stealing records and selling them to a third party for a lot of money is the stuff that catches the attention of the media, the regulators, executives and Congress people.

“But this is not necessarily where organisations have 100% of the risk,” said Mr Young, the RSA’s senior vice president of products.

The study conducted by the RSA and IT analysts IDC looked at 11 different categories of risk ranging from malware and spyware to employees having excessive access to systems and from unintentional data loss to malicious acts for personal gain.

The report concluded that the difference between the most frequent type of cyber breach – unintentional data loss, at 14.4% per year, and the bottom of the list – internal fraud, at 10.6% – is a clear sign that no single solution can address all potential internal security risks.

It covered over 400 firms from the US, UK, France and Germany across a variety of sectors including the financial industry, healthcare, telecommunications and technology.

‘Weakest link’

The report noted that whether the threats are accidental or deliberate, the cost to a company of a cyber breach is still the same.

The RSA and IDC said disclosure of sensitive information results in regulatory actions, failed audits, litigation, public ridicule and competitive fallout.
Government figures report 32,000 suspected cyber attacks every day

“The figures are hard to quantify, but the average annual financial loss to insider risk adds up to $800,000 (£480,000) overall per organisation in the US and between $300,000-$550,000 (£180,000-£330,000) in the UK, France and Germany.

“And that ties into the billions of dollars range when you think of the thousands of companies that comprise the IT industry,” said Mr Young.

A recent report by the Ponemon Institute found that the average cost of a data breach in 2008 was $202 (£122) per customer record.

The information security firm also determined that the expense continued to rise by 38% between 2004 and 2008.

The RSA and IDC discovered that the weakest link in any company is the temporary employee or contractor.

“They represent the greatest internal risk,” Mr Young told BBC News.

“Most organisations start with a principle of trust and you trust your employees to be able to do their job well and protect the interests of the company. There are always levels of trust which is greater or lesser depending on how closely tied an individual actor is to an individual organisation.

“It’s likely contractors may be less well-trained in organisational policy and it’s harder to maintain control over their access to systems because of the time they interact with an organisation. There is always a tension between letting an employee do his or her job versus security,” said Mr Young.

The Better Business Bureau has drawn up a list of simple things companies should do to secure its data, often regarded as the crown jewels of any company.

It advises limiting systems access to a few trusted employees, using a password protection system for logging in, equipping computers with firewalls and virus protection and educating employees.

http://news.bbc.co.uk/1/hi/technology/8215467.stm

Zeus, a virus that steals online banking details from infected computer users, is more powerful than ever, warns a web security company.
Trusteer says it has spotted the Trojan virus in one of every 3,000 of the 5.5m computers it monitors in the US and UK.
Zeus 1.6 can infect Windows machines using Firefox and Internet Explorer web browsers, the company claims.

The malware steals login information by recording keystrokes when the infected user is on a list of target websites.

These websites are usually banks and other financial institutions.

The user’s data is then sent to a remote server to be used and sold on by cyber-criminals.

“We expect this new version of Zeus to significantly increase fraud losses, since nearly 30% of internet users bank online with Firefox and the infection is growing faster than we have ever seen before,” said Amit Klein, chief technology officer at Trusteer.

DIY virus

In March 2010, many parts of the command and control (C&C) system for the Zeus botnet were destroyed when the Kazakhstani ISP that was being used to administer it was cut off.

However, it does not take long for malware controllers to spring up elsewhere, and toolkits for assembling botnets are readily available on the black market.

“There are plenty of opportunities for people to purchase access to these systems through underground chat rooms,” said Dr JD Marsters, from the department of electronics and computer science at the University of Southampton.

“It’s a game of cat and mouse between anti-virus vendors and botnet developers.”

Computer users should ensure that their anti-virus software and operating systems are kept up to date, he advised.

http://news.bbc.co.uk/1/hi/technology/8634356.stm

Internet security techniques must adapt to keep up with the rising tide of net attacks say officials.

The issue is top of the agenda at the world’s biggest security conference hosted by vendor RSA.

Recent incidents such as the high-profile attacks on Google in China have highlighted the new challenges.

“The attacks are getting more malicious, sophisticated, and from different directions,” said the chief executive of Verisign Mark McLaughlin.

Mr McLaughlin’s company manages the .com and .net domains of the internet.