Ask our experts
Ask our subject-matter experts
Tell us a bit about yourself
Ask our experts
Tell us a bit about yourself
It is easy, while evaluating attack vectors, researching competitors and gauging the threat from organized crime or foreign adversaries, to conclude that external attacks should be the primary focus of defense. This conclusion would be wrong. The critical element is not the source of a threat, but its potential for damage. Evaluating threats from that perspective, it becomes obvious that although most attacks might come from outside the organization, the most serious damage is done with help from the inside. This survey highlights the importance of managing internal threats as the key to winning at cyber security.
Even advanced external adversaries try to focus on the easiest way to compromise an organization. Organizations’ increased focus on robust perimeters and locked- down systems has made their servers more difficult to compromise, leaving insiders as the easiest attack vector available. Because organizations typically have a lot more insiders than servers, and it may take only one click on the wrong link or attachment to compromise an organization, adversaries have increasingly focused on insiders as a primary point of attack. This survey was designed to provide greater insights into the state of the art of insider compromise and what organizations can do to protect against this major threat lurking in most organizations.
We explore these and other valuable insights in the following pages.
The respondents to the survey come from a wide range of organizations. The size of the organizations ranges from less than 100 to over 100,000. The largest group consists of organizations with more than 100 employees but less than 10,000. The bulk of responses come from U.S.-based companies, but all major global regions are represented in the survey. The breakdown of industries represented (see Figure 1) is particularly revealing.
It would not be surprising if industries that tend to have more critical intellectual property—including banking, government and high tech—were more conscious of the risk of data loss from insiders and were, therefore, more likely to participate in a survey on the topic. The important thing to remember is that any organization, regardless of its business or the relative volume of personal or intellectual property it relies upon, can be targeted by an adversary. Experience tells us that organizations that perceive their data as having comparatively low value, and that therefore spend less on cyber security, are often compromised because they are easier targets. If something is perceived as having low value and is not protected, it is much easier for an adversary to compromise—and much more difficult to detect that compromise when an attack occurs.
From a maturity perspective, the survey shows that organizations are starting to recognize the importance of insider threat and are focusing more resources on building out a proper incident response process. Forty-nine percent of respondents report that they are in the process of building out a program, but what is concerning is that 31% still do not have a plan and are not focusing effort on the insider threat, as illustrated in Figure 2.
While it is important to develop incident response plans to address insider threat, it is also important to build out defensive measures to both prevent and detect attacks in a timely manner. Ensuring that programs are effective requires metrics to measure and track the progress of security controls as they are developed and verify that they are effective and are focused on the right threat vectors.
It would be interesting to correlate the number of organizations lacking insider threat programs with the number of breaches and the volume of data compromised. Unfortunately, organizations that lack effective insider threat programs are also unable to detect attacks in a timely manner, which makes the connection difficult to quantify. From this author’s experience, however, there is a direct correlation between entities that ignore the problem and those that have major incidents.
One ray of hope among these survey results is the indication that organizations have begun to recognize that the potential for damage from insiders is greater than from external threats. Both unintentional and malicious insider action were ranked higher (with 36% and 40% naming them the most damaging, respectively) than external threats, where only 23% rated them as the most damaging type of attack (severity 1), as shown in Figure 3.
One remaining concern, however, is that organizations rank malicious insider threat as causing more damage than unintentional insider threat, which indicates a lack of maturity in cyber security, because in reality the most damaging threat to most organizations is the unintentional insider. Malicious insider action will always be a concern, but with proper access control, segmentation and monitoring, it can be minimized.
Unintentional insider involvement can pose a greater risk, and considerably more damage, by allowing adversaries to sneak into a network undetected. Lack of visibility and monitoring capability are possible explanations for the emphasis on malicious insiders. When the source of an attack is external, most organizations stop wondering why it happened. They might investigate the source and methods, but they do not dig deeply enough to realize that the impetus behind an attack was a vulnerability created by an unsuspecting insider.
While developing questions for this survey, we predicted that the biggest category of financial loss would be “Unknown” (don’t know whether the organization has placed a value on the loss) or “No value placed” (the organization hasn’t placed any value on the potential loss). This is because most organizations do not have proper monitoring and reporting mechanisms to determine the true impact of the exploitation of insider attacks. Figure 4 illustrates the reported potential losses.
The level of access and organizational knowledge available to insiders makes it difficult for organizations to detect or estimate the negative impact of data loss. Determining the true extent of damage beyond the obvious can take years and, in some cases, it is never determined.
For example, a sufficiently subtle insider attack could allow product plans to be stolen and sold to competitors without the organization realizing it had happened. Subsequent failure of that product might be attributed to market conditions or other factors, rather than someone “stealing it.” Many organizations, in my experience, are likely to blame external factors and only discover after detailed investigation that the true cause can be linked back to an insider.