Insider threats represent some of the costliest and potentially most dangerous risks facing organizations today. A malicious insider is often too well concealed to be detected using conventional approaches, and many organizations lack the internal tools to monitor risks associated with unwitting or negligent employees.
This report is the result of comprehensive crowd-based research, in partnership with the 300,000+ members of the Information Security Community on LinkedIn and Crowd Research Partners, to gain more insight into the state of insider threats and the available solutions to predict and prevent them.
My thanks to the Information Security Community and Crowd Research Partners for conducting this survey, and especially to everyone who took the time to answer its detailed questions.
The survey makes clear that most security professionals see insider threats as a persistent challenge, but one that competes with other threats for their resources and attention. They believe better organizational policy and more resources are the key to effectively managing the problem, and that increased use of analytics is an effective deterrent against insider threats.
I hope you find this report informative, and useful to your own organization.
Bryan Ware, CEO
Haystax Technology
Almost half of respondents have no idea if their organization experienced an insider attack in the last 12 months (49 percent). However, more people feel that insider attacks have become more frequent in the last 12 months (56 percent). Eighteen percent said they are seeing fewer breaches while 26 percent of respondents were not sure.
Q: How many insider attacks did your organization experience in the last 12 months?
Q: Do you think insider attacks have generally become more frequent over the last 12 months?
Malicious data breaches (61%) are among the critical insider threats organizations are most concerned about (in addition to negligent data breaches and inadvertent data breaches). Because malicious threats are premeditated, it becomes vitally important to predict and preempt these threats where possible.
Q: What type of insider threats are you most concerned about?
In this year’s survey, privileged IT users, such as administrators with access to sensitive information, pose the biggest insider threat (60 percent). This is followed by contractors and consultants (57 percent), and regular employees (51 percent).
Q: What user groups pose the largest security risk to organizations?
Monetizing sensitive data (55 percent), fraud (51 percent) and sabotage (42 percent) are the top motivations for malicious insider threats that companies are most concerned about. Espionage is the least concern, as highlighted by respondents (38 percent).
Monetizing sensitive data (55 percent), fraud (51 percent) and sabotage (42 percent) are the top motivations for malicious insider threats that companies are most concerned about. Espionage is the least concern, as highlighted by respondents (38 percent).
Q: What motivations for malicious insider threats are you most concerned about?
Given the amount of sensitive information that resides in databases, it is no surprise that similar to last year, 57 percent of companies named databases as the most vulnerable asset to an insider attack. File servers (55 percent) and mobile devices (44 percent) were named as the second and third assets that are most vulnerable. Cloud infrastructure was the least vulnerable (19 percent).
Q: What IT assets are most vulnerable to insider attacks?
As expected, due to its value, customer data is most vulnerable to insider attacks (63 percent) again this year. Financial data (55 percent) and intellectual property (54 percent) marginally switch spots.
Q: What types of data are most vulnerable to insider attacks?
Endpoints (57 percent) by far are the most common assets used to launch an insider attack. Cloud infrastructure (20 percent) is the least likely place people use to launch an attack.
Q: What IT assets are most commonly used to launch insider attacks from?
File servers 31% | Business applications 29% | Databases 27% | Cloud infrastructure or applications 20% | Not sure / Other 13%
Insufficient data protection strategies and solutions (57 percent) and the proliferation of sensitive data moving outside the firewall on mobile devices (54 percent) are again named as reasons for why insider threats are on the rise.
Q: What do you believe are the main reasons why insider threats are rising?
More employees, contractors, partners accessing the network 45% | Increasing amount of sensitive data 37% | Increased public knowledge or visibility of insider threats that were previously undisclosed 29 % | Technology is becoming more complex 27% | Increasing use of cloud apps and infrastructure 27% | Not sure / Other 10%
Seventy-four percent of organizations feel vulnerable to insider threats – a dramatic seven percentage point increase over last year’s survey. Even though 42 percent of companies feel they have appropriate controls to prevent an insider attack, only three percent of companies feel they are not at all vulnerable to an insider attack.
Q: How vulnerable is your organization to insider threats?
Q: Does your organization have the appropriate controls to prevent an insider attack?
Similar to our previous survey, the majority of respondents (66 percent) have a harder time detecting and preventing an insider attack versus an external cyber attack.
Q: How difficult is it to detect and prevent insider attacks compared to external cyber attacks?
The key reasons for the difficulty in detecting and preventing insider attacks are that insiders often already have access to systems and sensitive information (67 percent), the increased use of cloud based applications (53 percent), and the rise in the amount of data that is leaving the protected network perimeter (46 percent).
Q: What makes the detection and prevention of insider attacks increasingly difficult compared to a year ago?
More end user devices capable of theft 33% | Difficulty in detecting rogue devices introduced into the network or systems 32% | Absence of an Information Security Governance Program 31% | Insiders are more sophisticated 28% | Migration of sensitive data to the cloud along with adoption of cloud apps 24% | Not sure / Other 10%
Q: Do you monitor user behavior?
Most organizations monitor their user behavior (42 percent). Twenty one percent do not monitor user behavior.
Q: What level of visibility do you have into user behavior within core applications?
Again this year, most organizations (49 percent) rely on server logs to review user behavior. Only 25 percent have deployed dedicated user activity monitoring solutions. Thirteen percent of respondents have no visibility at all.
The number of organizations that use insider threat analytics is up 20 percent compared to last year. Of the 56 percent of organizations that are using some type of analytics, only eight percent use predictive analytics.
Q: Does your organization leverage analytics to determine insider threats?
Organizations that proactively implement specific controls to prevent cyber attacks as part of their risk management program outnumber those that do not almost 10:1.
Q: Do you include cyber attacks in your risk management framework?
The controls that these organizations utilize include security perimeter defense tools (76 percent), database and file monitoring tools (67 percent) and security events dashboards (58 percent).
Q: What risk controls are important for managing risk of cyber attack occurrences?
Access violations Key Risk Indicators by database or system 55% | Security event remediation processes 55% | Data loss and corruption Key Risk Indicators 52% | System of Record monitoring 46% | System down time Key Risk Indicators 24% | Not sure / Other 13%
Similar to our last survey, the biggest perceived barrier to better insider threat management is organizational, starting with a lack of training and expertise (60 percent). Rounding out the top three are insufficient budgets (50 percent) and lack of collaboration between departments (48 percent). Notably, lack of collaboration is the barrier with the highest gain since the previous survey, moving up 10 percentage points.
Q: What are the biggest barriers to better insider threat management?
Lack of staff 35% | Lack of suitable technology 28% | Not sure / Other 11%
User training (51 percent), background checks (39 percent) and monitoring user activity (35 percent) top the list of how organizations overcome insider threats.
Q: How does your organization combat insider threats today?
Information Security Governance Program 34% | Database Activity Monitoring 24% | Native security features of underlying OS 22% | Secondary authentication 21% | Specialized 3rd party applications and devices 15% | Custom tools and applications developed in house 11% | Managed Security Service provider 8% | We do not use anything 7% | Not sure/Other 15%
Most organizations continue to place their insider threat management focus and resources on deterrence tactics (61 percent), followed by detection (49 percent) and analysis and forensics (35 percent).
Q: What aspect(s) of insider threat management does your organization mostly focus on?
Deception (e.g., honeypots, etc) 9% | None 7% | Not sure / Other 3%
With insider attacks on the rise, 42 percent of organizations expect a security budget increase over the next 12 months. This represents a strong gain of eight percentage points from the previous year.
Q: How is your security budget changing over the next 12 months?
Q: How long would it typically take your organization to detect an insider attack?
Year over year companies are getting better at both detecting and recovering from insider attacks. This year most IT professionals feel their organization could detect an insider attack within one day, up six percent year over year.
Within one month 9% | Within three months 7% | Longer than three months 7% | No ability to detect 13%
Q: How long would it typically take your organization to recover from an insider attack?
Organizations are getting more confident of their ability to recover from an attack. Sixty-eight percent of organizations feel they could recover from an attack within a week – up over 20 percent from last year’s survey.
Within one month 15% | Within three months 5% | Longer than three months 9% | No ability to recover 3%
Q: What is the estimated, average cost of remediation after an insider attack?
Insider attacks can be costly to organizations, from immediate economic impact to long term damages in reputation and trust. This year, successful attacks are costing organizations even more money and the damage is getting more difficult to detect. Over 75 percent of organizations estimate costs could reach a half a million dollars. Of those that are able to estimate the average cost of remediation, 25 percent believe the cost exceeds $500,000 and can reach in the millions.
Q: Within your organization, how difficult is it to determine the actual damage of an occurred insider threat?
Eighty seven percent of organizations find it difficult to determine the actual damage of an insider threat. This is 20 percent more than last year.
The respondents range from technical executives to managers and IT security practitioners, and they represent organizations of varying sizes across many industries. Their answers provide a comprehensive perspective on the state of cloud security today.