Nobody really knows the precise scope of the insider threat within organizations. Attacks perpetrated by employees are so difficult to identify that they often go undetected for weeks, months, or even years.
There has been an uptick in reports of insider breaches and thefts, as employees have become more savvy in the ways of accessing sensitive information, or misusing their privileges. Mainstream technologies make it easier to perpetrate this type of inside job. Some useful statistics can point the way as you look to shore up your own organization:
- More than one-quarter of respondents that have detected a cybersecurity incident cannot identify the source. According to the 2014 US State of Cybercrime Survey from PriceWaterhouse Coopers, a full 26 percent of the more than 500 U.S. business executives, law enforcement officials, and government managers surveyed said they could not determine where a cybersecurity breach originated. Attribution remains difficult, so some of these attacks could come from within.
- Insiders are considered responsible for 28 percent of cybercrime breaches. Respondents to the PwC cybercrime survey agreed that while these incidents “typically fly under the media radar” or often go unreported, that employees, service providers and contractors are responsible for nearly three in 10 of all cyber breaches.
- Insider crimes are more damaging and costly according to 32 percent of executives. Nearly one-third of executives surveyed by PwC said that they found insider online crimes perpetrated by their employees or other trusted insiders cost them more in both financial losses and reputational risk. This could be in part because insiders are more likely than outsiders to know where the best information is kept, or in part because insiders are typically able to cover their tracks and continue operating undetected for longer periods of time.
- And yet, less than half of organizations have a plan to deal with this. Only 49 percent of executives responding to the PwC survey say they have a plan in place to respond to insider threats. Never mind predicting or preventing them. This, despite the fact that, according to PwC, “many insider incidents result from employee vulnerabilities such as social engineering and loss of devices—risks that could be very well mitigated by employee training.”
- U.S. organizations lose more money to cybercrime than foreign counterparts. A separate PwC report, the 2014 Global Economic Crime Survey, found that 7 percent of U.S. organizations lost $1 million or more due to cybercrime incidents in 2013, as compared with just 3 percent of global organizations. Also, 19 percent of U.S. enterprises reported losing $50,000 to $1 million that year, as compared with 8 percent of their counterparts outside the U.S. Given the higher cost of an inside breach, predicting and preventing insider breaches could have a pronounced effect on stemming U.S. organizations’ losses.
- More than half of insider incidents involve abuse of privileges. According to the Verizon 2015 Data Breach Investigations Report (Verizon DBIR), 55 percent of insider breaches come as a result of someone taking or being granted privileges way above their pay grade. In other words, organizations that grant broad privileges could mitigate at least some of their insider exposure if they were more diligent in limiting and removing privileges quickly.
- One out of five incidents is STILL due to phishing. Perhaps unbelievably, given the amount of training and media exposure given to fake baiting emails, phishing schemes still account for 20 percent of incidents where hackers are able to gain insider access through an unintentional accomplice, according to the Verizon DBIR. Maybe, however, it is not so surprising. According to Verizon, “a campaign of 10 emails yields a greater than 90% chance that at least one person will become the criminal’s prey.”
By being mindful of these trends, organizations have a better chance of sidestepping the same pitfalls in their own Insider Threat program, and can be better prepared for incidents when they occur.