News

Survey: Insider Theft Tops CIO Worry List

• By Stephen Swoyer
• June 03, 2008

Insider threats stemming from intentional and unintentional data leaks are keeping many IT chiefs awake at night, with fully 80 percent of respondents citing theft from within as their No. 1 security issue overall.

A few caveats: Secure Computing's survey sample size of 103 CIOs at U.S. companies is small, and Secure Computing (as a purveyor of gateway devices designed to both keep the bad guys out and protected content in) does have a dog in the race. Nonetheless, its survey data does raise some provocative issues, as well as explode a few popular myths.

Less than one in five (17 percent) CIOs said they're more concerned about external than internal threats, and more than one-third (37 percent) of respondents acknowledged that their organizations had experienced the loss or theft of sensitive information over the last 12 months.

Surprisingly -- or not, depending on your point of view -- a plurality of respondents (34 percent) cited e-mail as their No. 1 security concern. This was followed by VoIP leakage or theft (cited by one-quarter of respondents) and is even deemed a more substantive threat than unsanctioned Web surfing, which only 21 percent of IT directors said is a top priority.

Likewise, Secure Computing indicated, CIOs aren't sure what to make of Web 2.0-related security concerns. In such cases, they're more likely to cite damage from external threats (e.g., malicious Web 2.0 services or gadgets) as a bigger danger than Web 2.0-related spam or, interestingly, the potential loss or theft of data from Web 2.0 applications.

Where hackers are concerned, CIOs don't have hackers on the brain: Fewer than a quarter of respondents cited hacking or hackers as the biggest overall security threat facing their organizations. Instead, more than half of respondents cited malware as their biggest concern.

Not surprisingly, CIOs are throwing money at their anxieties, directing the bulk of their security-related IT spending to shoring up internal safeguards.

More than one-third of chiefs cited internal security as their primary area of IT spending, while -- shockingly, given the current state of the economy -- CIOs say spending to improve IT asset management is actually lowest on their priority lists. (Asset management-related spending typically spikes during periods of economic uncertainty.)

Elsewhere, Secure Computing claimed, IT security itself is undergoing a perceptual shift of sorts: Only 11 percent of respondents said their boards perceive security spending as a "necessary evil." Almost 90 percent saw security-related spending as "at least as important" as other kinds of IT spending.