Budgeting to Address Insider Threats
Since most organizations do not have a separate budget item for insider threat
countermeasures, it’s not difficult to imagine why 47% of the respondents lacked specific
knowledge of their spending on insider threats. After all, organizations usually base
their budgets on where they spend money, rather than the problems the money solves.
Typical security budgets have line items for firewalls, IPSes or DLP, but do not have
money allocated for “threat prevention.”
This suggests that organizations spend little if any dedicated resources on insider threats. Because such threats are a problem that has been recognized relatively recently,
we accept that organizations do not yet have any dedicated line items for this area.
Based on the results of this survey, respondents show that this is a growing concern
and that insiders are constant targets. As with any problem in security, organizations
absolutely must dedicate resources to this problem or it will continue to get worse.
A look at the survey results shows that most organizations have a similar budget
misalignment, which goes a long way toward explaining why insider threats continue to
be a major problem for IT. As noted earlier, more than half (52%) of respondents perceive
negligent employees as the cause of significant damage, while almost half (44%) are
spending 10% or less of their budget on this area, so it’s clear why survey respondents
also suffer a significant number of insider breaches.
Preventing Insider Threats
Our survey asked practitioners to assess their ability to prevent or deter insider incidents
and attacks. Figure 8 shows respondents are quite confident in this area.
Naturally, organizations attempt to prevent attacks or stop the damage before it occurs,
but advanced attacks and insider threats make prevention difficult; in most cases,
damage control begins with detection. With 68% of respondents believing they can
prevent attacks, many organizations still focus on basic insider threats (i.e., negligent
users) without realizing how many attacks they miss. In fact, 75% of insider crimes go
unreported or are not prosecuted, and 36% of companies cite lack of evidence as a
Most organizations will suffer an insider compromise and many will be unable to prevent
all attacks. That your organization currently has an insider threat of some sort is a near
certainty. Therefore, you have to approach security with the assumption that an insider
threat has already compromised you and focus your energy on detection.
Preventing insider attacks is important and a key part of security; however, organizations
often fool themselves into believing that they can stop all such attacks. Repeat the
following sentence three times: “Your organization is and will be compromised by
insiders.” Insiders—whether malicious or merely negligent—are a continuous and
constant problem for IT security; thinking otherwise is naïve.
Tools and Techniques in Use
Because they perceive insider threats as a “people” problem, many organizations
rely heavily on administrative solutions such as policies and procedures to deal with
the problem. Indeed, an overwhelming share of respondents (90%) say they utilize
these techniques, but any effective solution must integrate people, processes and
technologies. Administrative solutions cover people and processes, but without
technologies to monitor compliance and enforcement, those solutions often fall short.
As we will see, 34% of respondents indicated that they have suffered actual insider
incidents or attacks, some of which cost their organizations millions. If these same
organizations are using administrative controls as their main defense against insider threats, this could indicate that such administrative policies and procedures are partially
ineffective, at least for these respondents.
Although policies and procedures remain critical to security, technical solutions that
address prevention, detection and deterrence can effectively augment the controls
implemented to counter insider threats. Figure 9 shows that the respondents prefer
policies, audits and monitoring to deal with insider threats.
Our respondents’ declared reliance on “soft” solutions
illustrates a gap in how organizations perceive insider threats,
and this list can help fill that gap. Insider threats are an
advanced attack vector that requires an integrated defense-indepth
Looking at these results based on organization size, lack of
budget, staff and training remain the top three issues for
respondents from medium-size organizations (1,000–9,999
users); those from larger and smaller organizations were more
likely to report lack of technology solutions in their top three,
with lack of staff being pushed into fourth place.