The Numbers Boggle The Mind

by Mike Tierney | Nov 09, 2015

When discussing "prevention" of insider threats, what are we really talking about? Prevention is the ideal, but's it not a trivial task. The call is coming from inside the house. The vast (overwhelming) majority of your defenses were defeated when the insider became an insider. Locking someone out that's already in is, again, not trivial. We should do what we can, but at the same time acknowledge that, without adding some new tactics and tools to our strategy, we are going to have insider incidents.

Focus on detection first. Prevention is the ideal; detection is a must.

Here are some stats from a very recent survey, across 6 verticals:

How long does it take to detect an insider breach?

Ouch. And these stats are only relative to the insider breaches that get detected. If you aren't focused on detecting, you are not looking in the right place. Detecting insider threats requires analyzing user behavior and detecting for anomalies.

Focus on response second. When an incident does occur, mitigating the damage is critical. The faster you respond, the less costly recovery will be.


Ouch again. With the exception of Education and Tech, we are not responding well. Responding to insider threats requires planning (does your incident response plan contain specific provisions for dealing with insider incidents?), coordination (an extended team including HR and Legal will likely be involved), and perhaps above all, information. If you don't have a comprehensive record of insider activity, your response will take longer.

Let's get serious about the insider threat. Detect first. Respond second. What have you got to lose?