Whitepapers

Insider Threat Report 2018

Revealing how IT and security professionals are dealing with risky insiders and how organizations are preparing to better protect their critical data and IT infrastructure.

View PDF

INTRODUCTION

Today’s most damaging security threats are not originating from malicious outsiders or malware but from trusted insiders - both malicious insiders and negligent insiders. This survey is designed to uncover the latest trends and challenges regarding insider threats as well as solutions to prevent or mitigate insider attacks.

Our 400,000 member online community, Cybersecurity Insiders, in partnership with the Information Security Community on LinkedIn, asked Crowd Research Partners to conduct an in-depth study of cybersecurity professionals to gather fresh insights, reveal the latest trends, and provide actionable guidance on addressing insider threat.

KEY SURVEY FINDINGS

  1. Ninety percent of organizations feel vulnerable to insider attacks. The main enabling risk factors include too many users with excessive access privileges (37%), an increasing number of devices with access to sensitive data (36%), and the increasing complexity of information technology (35%). .
  2. A 53% majority have confirmed insider attacks against their organization in the previous 12 months (typically less than five attacks). Twenty-seven percent of organizations say insider attacks have become more frequent.
  3. Organizations are shifting their focus on detection of insider threats (64%), followed by deterrence methods (58%), and analysis and post breach forensics (49%). The use of user behavior monitoring is accelerating; 94% of organizations deploy some method of monitoring users and 93% monitor access to sensitive data.
  4. The most popular technologies to deter insider threats are Data Loss Prevention (DLP), encryption, and identity and access management solutions. To better detect active insider threats, companies deploy Intrusion Detection Prevention Solutions (IDPS), log management and SIEM platforms.
  5. The vast majority (86%) of organizations already have or are building an insider threat program. Thirty-six percent have a formal program in place to respond to insider attacks, while 50% are focused on developing their program.

NATURE OF INSIDER THREATS

Too often, people associate the term “Insider Threats” in cybersecurity with malicious employees intending to directly harm the company through theft or sabotage. In truth, negligent employees or contractors unintentionally cause an equally high number of security breaches and leaks by accident.

insider threat nature

In this year’s survey, companies are equally worried about accidental/unintentional data breaches (51%) through user carelessness, negligence or compromised credentials as they are from deliberate malicious insiders (47%).

Security professionals have a unique responsibility to detect counter and respond to cyber attacks. This job becomes increasingly more challenging when threats come from within the organization from trusted and authorized users. It is often difficult to determine when users are simply doing their job function or actually doing something illegal or unethical.

The survey indicated both regular employees (56%) and privileged IT users (55%) pose the biggest insider security risk to organizations, followed by contractors (42%).

Data is no longer just an IT asset; it’s a core strategic asset and some types of data are more valuable than others. Confidential business information, which encompasses company financials along with customer and employee data, is a highly strategic asset and equally a high-value target. Again this year, confidential business information (57%) takes the top spot as most vulnerable to insider attacks, followed by privileged account information (52%), and sensitive personal information (49%).

insider threat most vulnerable data

Cybercriminals see a greater opportunity in targeting where corporate data is located in volume. Databases (50%) and corporate file servers (46%) pose the highest risk. In this year’s survey, mobile devices are perceived as a lesser target and least vulnerable (25%).

The most common culprit of insider threat is accidental exposure by employees. Cybersecurity experts view phishing attempts (67%) as the biggest vulnerability for accidental insider threats. Phishing attacks trick employees into sharing sensitive company information by posing as a legitimate business or trusted contact and they often contain malware attachments or hyperlinks to compromised websites.

The survey reveals cybersecurity professionals perceive the following three responses as the top enablers for insider attacks: too many users with excessive access privileges (37%), increasing number of devices with access to sensitive data (36%), and technology becoming more complex (35%).

We asked cybersecurity professionals to assess their organization’s vulnerability to insider threats. Ninety percent of organizations feel vulnerable. Only six percent say they are not at all vulnerable to an insider attack.

Looking back, 33% of organizations experienced five or less insider attacks in the last 12 months, while 20% experienced six or more attacks.

insider threat recent threats

Twenty-seven percent say their organizations have experienced more frequent insider threats in the last 12 months. Nearly half of the security professionals (46%) polled believe the frequency of insider attacks has remained at the same levels while 21% say the frequency has decreased.

Two-thirds of organizations (66%) consider malicious insider attacks or accidental breaches more likely than external attacks.

Forty-four percent of organizations perceive all (malicious, external and accidental) attacks are as equally damaging, while 31% believe malicious /deliberate insider attacks are more damaging than external attacks (14%). The low weight placed on accidental insider breaches (11%) seems too low, perhaps underestimating the potential damages.

While true cost of a major security incident are not easy to determine, the most common estimate is a range of $100,000 to $500,000 per successful insider attack (27%). Twenty-four percent expect damages to exceed $500,000

DETECTION

Insider data threats present another layer of complexity for IT professionals to manage, requiring careful planning with regards to access controls, user permissions and monitoring user actions. Fifteen percent of organizations said they do not have adequate controls in place.

The good news is security practitioners realize that advanced detection and prevention are key; the majority of respondents (73%) have implemented security controls and policies to deal with impeding threats.

An organization’s control framework is the set of safeguards, separation of duties and recommended actions for IT professionals to use to minimize security risks and exposure. We asked security practitioners what security controls they use to deal with inevitable insider threats.

insider threat controls

Data Loss Prevention (DLP) (60%) and encryption of data (at rest, in motion, in use) (60%) were both tied for the top spot. Respondents said Identity and Access Management (IAM) (56%), and endpoint and mobile security (50%) were also deployed to avert insider attacks.

There are numerous methods and security tools available to help cybersecurity professionals detect and analyze insider attacks. A vast majority of the respondents identified the use of more than one security tool in their organization. By merging and analyzing these disparate sources, organizations are better able to deal with security breaches.

The survey concluded that most insider exploits are detected through Intrusion Detection and Prevention System (IDS/IPS) (63%), Log Management (62%), and Security Information and Event Management (SIEM) (51%) tools.

Identification, tracking and monitoring of key assets and system resources can help avert or limit an organization’s exposure to insider attacks. When security professionals manage and monitor their key assets, they are able to react faster and with more precision to mitigate incidents. More than three-fourths (78%) of respondents inventory and monitor all or the majority of their key assets.

An overwhelming majority (93%) of organizations monitor access to sensitive data. The level of monitoring varies; 47% continuously monitor data access and movement to proactively identify threats. Remarkably, five percent do not monitor data access and movement at all.

The increasing volume of insider threats have caused cybersecurity professionals to take more action and deploy User Behavior Analytics (UBA) tools and solutions to help detect, classify and alert anomalous behavior. The number of organizations monitoring their user behavior has increased significantly compared to last year (94% this year compared to 42% last year). The number of organizations that don’t monitor their users dropped from 21% last year to only six percent this year.

In this year’s survey, respondents said that they leverage User Activity Monitoring (UAM) (44%) as their top solution to manage user behavior within core applications, followed closely by the use of server logs (42%). Eight percent of respondents have no visibility at all, a decrease from last year of five points, which signals that organizations are investing in tools and resources to have better visibility into user activity.

Every organization must be vigilant when it comes to data protection. Not all insider threats are malicious; some are the result of an honest mistake or careless employee behavior. Monitoring allows cybersecurity professionals to decrease their risk exposure by quickly detecting unusual employee system activity. Ninety percent of the respondents believe that it is necessary to monitor access to the organization’s sensitive data.

Identification of high-risk insiders is a key part of a threat prevention strategy. One way to identify these individuals is to profile their behavior and work patterns. Hostility toward other employees, late or excessive missing work, undue work outside normal work hours, and declining performance are just some of the indicators. Organizations surveyed strongly believe it is necessary to identify high-risk insiders based on their behaviors (88%).

The number of organizations that do not leverage threat analytics continues to decline year after year. This year, only 14% of respondents said they do not use analytics, compared to 30% last year.

INSIDER THREAT PROGRAM

Organizations are shifting their focus on detection of internal threats. In this year’s survey, detection (64%) surpassed deterrence methods (58%) to take the top spot, followed by analysis and post breach forensics (49%).

The survey reveals that organizations have recognized the growing significance of insider threats and are investing resources to develop comprehensive incident response plans. A vast majority (86%) of organizations have or are building an insider threat program. Thirty-six percent have a formal program in place to respond to insider attacks, while 50% are focused on developing their program.

A majority of respondents surveyed (81%) say their organizations are moderately to very effective when it comes to addressing insider threat prevention and detection. Thirteen percent expressed that their organization’s insider threat programs are ineffective, while six percent do not have a program in place.

For the third year in a row, lack of training and expertise (52%) remain the biggest barriers to better insider threat management. Other barriers include the lack of suitable technology (43%), while tied for third place in this year’s survey are both lack of collaboration among departments (34%) and lack of budget (34%). Notably, lack of budget fell from second place last year to third this year.

Detecting and preventing insider attacks are much more challenging than external breaches, as they are users with legitimate access that unwittingly create vulnerabilities or intend to maliciously exploit an organization’s cyber assets. Slightly more than one-fifth of respondents claim detection of insider threats is within minutes (22%), while 28% say within hours.

insider threat speed of detection

In this year’s survey, organizations are even more confident in their ability to quickly recover from insider attacks. Most organizations feel they could recover from an attack within a week (89%) up 18% from the previous year. Only two percent of companies believed they would never fully recover.

Looking ahead, close to half of the surveyed organizations (49%) expect budget increases. Forty-three percent expect their IT budgets to remain flat, while only one percent foresee their security funding shrinking. This is a marked improvement in budget outlook compared to last year’s survey.

Defending against security attacks is an ongoing challenge; cybersecurity professionals are equally concerned about the rise in the volume and frequency of both external and insider attacks. Forty-three percent of organizations allocate over eight percent of their IT security budget to preventing, detecting, and mitigating insider threats.

Having a well understood information security policy and documented procedures help protect organizations and reduce risk from both internal and external cyber threats. The primary policy-based insider threat management methods that organizations have in place are the use of company policies and training (68%), internal audits (63%), and background checks (56%).

Organizations realize that prevention and awareness are key cornerstones in the defense against insider security breaches; an overwhelming majority (82%) have implemented insider security programs.