Although outside hackers get all the publicity, technology-savvy employees pose the biggest security threat, because they understand their companies' business and how the computer systems work, an analyst said last week.
"The skilled insider clearly represents the greatest threat, and represents the greatest challenge," said William Malik, research area director at Gartner Group, during the company's Symposium/ITxpo '99.
These inside threats will increase over time as more people become computer-literate and as IT becomes more user-friendly, he added.
"Things are bad and getting worse," Malik said.
Plus, the constant renewal and adoption of new IT products erode a company's IT security framework, he added.
Vendors of security products aren't helping IT managers much in this area, the analyst said. Once the sale is completed, many vendors exit the picture and rarely help customers fine-tune, integrate and maintain the products, Malik added.
In addition, the security market features a dizzying array of products that attempt to address a variety of security issues. Thus, IT staffers are faced with a complicated landscape of products and technologies, which, coupled with the urgency of protecting their companies' systems, often leads to bad technology choices, Malik said.
Moreover, the likelihood of making a bad choice is heightened by the sad reality that many of the available products don't fulfill their makers' promise, Malik said.
"There is a population of weak products that promise much more than they can deliver," Malik said.
The US government hasn't been much help so far either, since legal loopholes and gaps have prevented many attackers from being successfully prosecuted, Malik said. However, improvements in this area are expected in the coming years because the government seems more willing to crack down on these types of crimes, he added.
Another thing companies must understand is that technology alone is not enough to protect them from security threats, the analyst said. In fact, companies shouldn't even begin to evaluate security products and technologies until they have established a company-wide security policy and standards, set up a security architecture and related processes, and trained the staff on security matters, Malik said.
Choosing the products before defining the corporate security framework often leads to faulty protection, he added.
"Security isn't a technology problem. It's a (corporate) culture and values problem," Malik said.
Consultancies, such as PricewaterhouseCoopers, Ernst & Young and Deloitte & Touche, stand to gain from the current state of things in the IT security market because companies, overwhelmed by the complexity of choosing and implementing security products, will turn to them for help, Malik said. Gartner expects the worldwide information security consulting market to grow to $US5.5 billion by the end of 2003, up from $1.1 billion at the end of 1999, he added.