This article from Computer World is quite interesting, if initially slightly confusing. The headline seems to mirror the content but it sems to be challenged by the summary:
Recent findings that insiders constitute the primary threat to enterprise security are being challenged by experts who insist the greater threat to security remains external.
The article cites the CSI study and quotes NASA and US Dept. of Labour CIO's as saying that their main threats are external. However as a few security experts later in the article state the problem is probably that the internal threat isn't detected.
"I don't believe that many corporations know that the majority of attacks occur behind the firewall," said Mike Hager, vice president of network security and disaster recovery at OppenheimerFunds Distributor Inc. in New York. "And most still believe the firewall will stop them."
I think this rings particularly true with Financial companies. There might not be many such incidents yet, but when they happen they happen big and hurt alot more than an external attack through the firewall.
In addition I think we will start seeing much smarter hacker groups around, who will build up much greater inside knowledge of financial institutions. Just look at the hackgroups of the 80's who often had greater knowledge of the phone companies internal computer systems, than most people within.
Enterprise IT managers and CIOs, growing impatient with security vulnerabilities, are fighting back with language in contracts that holds software companies liable for breaches and attacks that exploit their products. ...
... For example, a Fortune 50 company recently wrote a clause into a contract with a major software company that holds the vendor responsible for any security breach connected to its software, according to sources familiar with the deal. [eWeek]
This is definitely a trend we will see continue. Not just for commercial software but also in internal and external agreements for software development or service providing.
For service providers, I would imagine that this would become addendums as part of their existing Quality of Service agreements. Some of these current agreements might already be good enough as they are to cover such events. But ofcourse as the service providers get hit by more and more of these issues, they will naturally want to pass the buck onto the software providers.
