Chapter 1. Managing Information Security Risks
It is easy to overlook the fact that information security affects an entire organization. But ultimately, it is a business problem whose solution involves more than deploying information technology such as firewalls and virus patches. Some surveys on security incidents and breaches have indicated that the majority of security breaches occur from the inside, not from the notorious teenage attackers trying to get in from the outside. More recent surveys indicate that the majority of attacks do come from outside. There are yet other indicators that the most costly attacks come from the inside, even though the highest frequency of attacks come from the outside. With little consistency in the information available, it is difficult to pin down exactly where your threats lie. What is consistently reported, however, is an increase in the numbers of security incidents and vulnerabilities.
No matter which way the current statistics swing, you need to consider both internal and external threats. Your organization is only as secure as its weakest link, and that link, more often than not, is one of you. How many people can state with certainty that they have not deliberately or inadvertently revealed their passwords in the past year? How many have a file on their personal data assistant (PDA) that lists passwords or contains confidential information? How many have "yellow stickies" under the keyboard? How many employees load games on their workstations or open up unknown email attachments? How many companies spend the time and money to keep up with the latest patches and technological security tools? Without good organizational practices in place and enforced, in addition to technological safeguards, the organization and its assets are at risk.