Nearly 60% of U.S. businesses and government agencies report they don't have the information or the technology to deal with insider threats to their network, according to a new study.
The research, done by the Ponemon Institute, also shows that 58% still rely on manual controls to audit and control user access to critical enterprise systems and data resources, leaving networks open to privacy breaches, failed audits, and potential fraud or misuse of data.
"Our findings point to a number of barriers preventing the implementation of effective identity management and proactive safeguards for securing sensitive corporate data against insider risk," said Larry Ponemon, chairman and founder of the Ponemon Institute, in a written statement. "In order to assess risk, and identify and address identity management shortcomings, organizations must have access to data and appropriate coordination across business units. Our research shows that, for too many companies, this is simply not happening."
According to the study, 71% of respondents confirm that identity compliance activities are strategically important, resulting in an average of 28% of total IT compliance budgets. And 64% of respondents say they have deployed an identity and access management system (IAM), a category that includes access control, password management, provisioning, and role management.
That's not solving the problem, though. The study also shows that almost 60% of respondents say their companies are unable to effectively focus IAM controls on areas of the greatest business risk. They add that this is a "severe" risk.
What's going wrong with corporate identity and access management projects? Fifty-eight percent of survey respondents say they mostly use manual methods and 51% take a reactive approach.
"As the complexity of identity management has increased, so have the inherent risks, media attention and public scrutiny associated with corporate compliance initiatives," said Jackie Gilbert, founder of SailPoint Technologies, in a written statement. SailPoint commissioned the study.
Insider threats pose a significant risk to companies. Last month, the Delaware U.S. attorney revealed a massive insider data breach at chemicals company DuPont where a former scientist late last year pleaded guilty to trying to steal $400 million worth of company trade secrets. The insider now faces up to a decade in prison, a fine of $250,000, and restitution when sentenced in March.
And in January, a former systems administrator at Medco Health Solutions was charged for allegedly writing and planting malicious code that could have crippled a network that maintained health care information on customers. A co-worker found the so-called logic bomb before it went off. This comes just months after a former systems administrator, who was convicted last summer of launching an attack on UBS PaineWebber four years ago, was sentenced to 97 months in jail in U.S. District Court in Newark, N.J.