Beware the insider security threat

CIO Jury: Disgruntled staff pose biggest risk…

Employees and insiders are bigger threats to corporate security than external threats such as denial of service attacks or malware.

Security experts at the RSA security conference in San Francisco last week warned of all manner of threats ranging from botnets to metasploit attacks.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

But it is the insider that still poses the biggest risk according to all but one of's 12-strong CIO Jury IT user panel.

Graham Yellowley, director of technology services at investment bank Mitsubishi UFJ Securities International, said: "Undoubtedly, the statistics show that 70 per cent of fraud is perpetrated by staff rather than by external people or events. We invest up to 90 per cent of our security resources on controls and monitoring against internal threats."

Mike Roberts, IT director at private Harley Street hospital The London Clinic, agreed: "We find the misuse of the internet and using company email addresses the biggest problem."

The main data security threat comes from poorly trained or disgruntled employees who are authorised to have access to data and file stores, according to Alastair Behenna, CIO at Harvey Nash.

He said: "Each one is fully capable of creating a gaping hole in your otherwise secure network. Good users will use good sense and follow practical policies and processes to maintain a secure infrastructure."

David Supple, head of IT at Ecotec Research & Consulting, added: "Commercially speaking, the aggrieved leaver poses a much bigger risk - your sensitive data will have gone with your best stationery before you know it unless you are actively monitoring and auditing how your systems are used."

But spending vast amounts on the latest security technology isn't the way to tackle this threat, according to Steve Clarke, AOL Broadband.

He said: "However good the security, there's always a point when data or IP needs to be used by employees and at that point it's always insecure whatever security product set is used. A rigorous policy, good process and an investment in training will increase security far more than a large cap-ex spend on the latest and greatest technical security."

But Jane Kimberlin, IT director at Domino's Pizza Group, argued that it is "external targeting" rather than the insider that is the biggest security threat to corporate networks.

Today's CIO Jury was:

Alastair Behenna, CIO, Harvey Nash
Alan Brown, director of IM & technology, West London Mental Health Trust
Steve Clarke, director of systems and operations, AOL Broadband
Chris Clements, IS director, RM
Simon Crawshaw, IT and procurement director, Bourne Leisure
Steve Gediking, head of IT & facilities, Independent Police Complaints Commission
Neil Harvey, head of IT and accommodation, Food Standards Agency
Jane Kimberlin, IT director, Domino's Pizza Group
Mike Roberts, IT director, The London Clinic
Richard Storey, head of IT, Guy's and St Thomas' NHS Foundation Trust
David Supple, head of IT, Ecotec Research & Consulting
Graham Yellowley, director of technology, Mitsubishi UFJ Securities International

Want to be part of's CIO Jury and have your say on the hot issues for IT departments? If you are a CIO, CTO, IT director or equivalent at a large or small company in the private or public sector and you want to be part of's CIO Jury pool, or you know an IT chief who should be, then drop us a line at