Security experts warn of insider threat timebomb

Hacking is not the only way to steal sensitive data

Security experts have warned that the risk from insider threats may be more widespread than commonly thought, as criminals look to compromise sensitive company data through non-technical means.

Nick Frost, senior research consultant at the Information Security Forum, said at a press event to discuss the Threat Horizon 2011 report that there is a dangerous misconception about the type of attacks that many criminal gangs are launching.

"Yes, they use sophisticated Trojans and malware, but in a lot of cases the gangs are introducing less sophisticated attacks which don't get picked up, like infiltrating organisations with individuals they have sponsored through university, or paying systems administrators for data," he said.

"The challenge is that background checks often don't do much anyway. A lot of this is anecdotal evidence from our members, but it's a potentially massive vulnerability."

However, Frost admitted that the scale of the problem is hard to estimate, because organisations are reluctant to talk about security breaches and the inefficiency of background checks.

William Beer, director of the information security practice at PricewaterhouseCoopers, agreed that cyber criminals are often able to exploit gaps in organisation-wide security.

"My banking clients are concerned by cross-channel fraud, not just online but phone and call centre channels too," he said. "The [criminals] piece together different information to come in under the radar, and security teams are often not linked, which makes the problem harder to track."

Beer called for a more joined-up approach to security which would replace the silo arrangements in many organisations.

The consultant also highlighted the need for a greater focus on secure development processes, security awareness and training programmes that are more closely tied to organisational culture, and greater security/business alignment.