Top executives from some of the world’s largest companies mistakenly think the greatest risk to their company’s security is from outside sources, says a new survey.

Yet a company’s most sensitive information is usually compromised by an insider, a disgruntled employee who attacks the business’s e-infrastructure or leaks critical information outside the organization for somebody else to penetrate.

“Although a lot of press is given to people who are hacking into systems and that are wreaking havoc in that manner, we really see the losses arising from internal sources more often than not,” says John Williams, senior vice-president of KPMG Investigation and Security Inc. in Calgary.

The Global e-Fraud study conducted by KPMG includes responses from more than 1,200 executives at some of the largest public and private companies in several countries, including Canada. Nearly 92 per cent of CEOs, CIOs and other senior managers surveyed in this country believed a breach in their e-commerce system would come through the Internet or other external sources.

“Our experience when we get involved in an investigation is that there’s an internal link,” noted Williams. “If you haven’t figured out where that breach of security came from, that problem may still be lurking within your organization,” and sooner or later will resurface.

The survey also revealed many companies haven’t installed adequate security safeguards which could help prevent and prosecute e-fraud, or simply wipe out the evidence after a breach to protect the company’s reputation.

“One of the problems we’re encountering is that companies are getting their systems back up and running, or are modifying the integrity of the electronic media that contains the data that we would be looking for if we were pursing this matter in a civil or criminal court,” says Williams.

Other findings from the survey:
* 22 per cent of companies have computer forensic response guidelines;
* 54 per cent of Canadian respondents perform background checks on the entities that assist them with the development or administration of their e-commerce system;
* Only seven per cent of Canadian executives reported a security breach in the last 12 months, compared to nine per cent globally. Of the global number, less than one-third pursued legal action.

Williams suggests a few basic rules for companies to keep in mind, including conducting proper due diligence on new hires and installing adequate encryption, firewall and other security devices. “Especially for the smaller companies, it can really save all their valuable assets,” he adds.