Haystax: Prioritized Risks, Actionable Intelligence

Defending Against the Wrong Enemy

2017 SANS Insider Threat Survey

Executive Summary

It is easy, while evaluating attack vectors, researching competitors and gauging the threat from organized crime or foreign adversaries, to conclude that external attacks should be the primary focus of defense. This conclusion would be wrong. The critical element is not the source of a threat, but its potential for damage. Evaluating threats from that perspective, it becomes obvious that although most attacks might come from outside the organization, the most serious damage is done with help from the inside. This survey highlights the importance of managing internal threats as the key to winning at cyber security.

Even advanced external adversaries try to focus on the easiest way to compromise an organization. Organizations’ increased focus on robust perimeters and locked- down systems has made their servers more difficult to compromise, leaving insiders as the easiest attack vector available. Because organizations typically have a lot more insiders than servers, and it may take only one click on the wrong link or attachment to compromise an organization, adversaries have increasingly focused on insiders as a primary point of attack. This survey was designed to provide greater insights into the state of the art of insider compromise and what organizations can do to protect against this major threat lurking in most organizations.

The following are some of the key takeaways from this survey:

  • Organizations recognize the importance of insider threat. Survey results are very promising in that they indicate organizations recognize insider threat as the most potentially damaging component of their threat environments. Interestingly, there is little indication that most organizations have realigned budgets and staff to coincide with that recognition.
  • Losses due to insider threat are largely unknown. Relatively few respondents were able to quantify either real or potential losses due to insider threat. Organizations often do not spend money in a critical area if they cannot quantify the losses. This could explain why insider threat is a concern but not a primary focus.
  • Incident response is not focused primarily on the insider. Despite recognition of insiders as a common and vulnerable point of attack, fewer than 20% of respondents reported having a formal incident response plan that deals with insider threat. The primary focus of incident response is to recover from an adverse event. Incident response plans that are focused on external threats might explain why many organizations struggle to respond to incidents involving insiders.
  • Detection of insider threat is still not effective. More than 60% of the respondents claimed they have never experienced an insider threat attack. This result is very misleading. It is important to note that 38% of the respondents said they do not have effective ways to detect insider attacks, meaning the real problem may be that organizations are not properly detecting insider threats, not that they are not happening.
  • Organizations must deal with both malicious and accidental insider threats. When most people hear the term insider threat, they typically think of the malicious insider, who is purposely causing harm to an organization. Although this type of insider will always be a concern, the bigger threat to most organizations is the accidental insider—a legitimate user whose login has been stolen or who has been manipulated into giving an attacker access through other means. It is possible that respondents did not consider those compromised insiders as being part of what is considered an insider threat. Respondents to the survey most frequently cited malicious employees (43%) as their biggest concern. It is promising, however, that the accidental or negligent insider is a very close second (at 39%), which means organizations are focusing more resources in the correct area.

Key Results data

We explore these and other valuable insights in the following pages.

Current State of Insider Threat

The respondents to the survey come from a wide range of organizations. The size of the organizations ranges from less than 100 to over 100,000. The largest group consists of organizations with more than 100 employees but less than 10,000. The bulk of responses come from U.S.-based companies, but all major global regions are represented in the survey. The breakdown of industries represented (see Figure 1) is particularly revealing.
Graph of data for industries represented
It would not be surprising if industries that tend to have more critical intellectual property—including banking, government and high tech—were more conscious of the risk of data loss from insiders and were, therefore, more likely to participate in a survey on the topic. The important thing to remember is that any organization, regardless of its business or the relative volume of personal or intellectual property it relies upon, can be targeted by an adversary. Experience tells us that organizations that perceive their data as having comparatively low value, and that therefore spend less on cyber security, are often compromised because they are easier targets. If something is perceived as having low value and is not protected, it is much easier for an adversary to compromise—and much more difficult to detect that compromise when an attack occurs.


From a maturity perspective, the survey shows that organizations are starting to recognize the importance of insider threat and are focusing more resources on building out a proper incident response process. Forty-nine percent of respondents report that they are in the process of building out a program, but what is concerning is that 31% still do not have a plan and are not focusing effort on the insider threat, as illustrated in Figure 2.
Rating the maturity of insider threat programs with a pie chart
While it is important to develop incident response plans to address insider threat, it is also important to build out defensive measures to both prevent and detect attacks in a timely manner. Ensuring that programs are effective requires metrics to measure and track the progress of security controls as they are developed and verify that they are effective and are focused on the right threat vectors.

It would be interesting to correlate the number of organizations lacking insider threat programs with the number of breaches and the volume of data compromised. Unfortunately, organizations that lack effective insider threat programs are also unable to detect attacks in a timely manner, which makes the connection difficult to quantify. From this author’s experience, however, there is a direct correlation between entities that ignore the problem and those that have major incidents.

Most Damaging Vector

One ray of hope among these survey results is the indication that organizations have begun to recognize that the potential for damage from insiders is greater than from external threats. Both unintentional and malicious insider action were ranked higher (with 36% and 40% naming them the most damaging, respectively) than external threats, where only 23% rated them as the most damaging type of attack (severity 1), as shown in Figure 3.
Graph of responses indicating greatest threat location percentages
One remaining concern, however, is that organizations rank malicious insider threat as causing more damage than unintentional insider threat, which indicates a lack of maturity in cyber security, because in reality the most damaging threat to most organizations is the unintentional insider. Malicious insider action will always be a concern, but with proper access control, segmentation and monitoring, it can be minimized.

Unintentional insider involvement can pose a greater risk, and considerably more damage, by allowing adversaries to sneak into a network undetected. Lack of visibility and monitoring capability are possible explanations for the emphasis on malicious insiders. When the source of an attack is external, most organizations stop wondering why it happened. They might investigate the source and methods, but they do not dig deeply enough to realize that the impetus behind an attack was a vulnerability created by an unsuspecting insider.

Losses Due to Insider Threat

While developing questions for this survey, we predicted that the biggest category of financial loss would be “Unknown” (don’t know whether the organization has placed a value on the loss) or “No value placed” (the organization hasn’t placed any value on the potential loss). This is because most organizations do not have proper monitoring and reporting mechanisms to determine the true impact of the exploitation of insider attacks. Figure 4 illustrates the reported potential losses.
Graph of financial data value of potential loss from insider threat
The level of access and organizational knowledge available to insiders makes it difficult for organizations to detect or estimate the negative impact of data loss. Determining the true extent of damage beyond the obvious can take years and, in some cases, it is never determined.

For example, a sufficiently subtle insider attack could allow product plans to be stolen and sold to competitors without the organization realizing it had happened. Subsequent failure of that product might be attributed to market conditions or other factors, rather than someone “stealing it.” Many organizations, in my experience, are likely to blame external factors and only discover after detailed investigation that the true cause can be linked back to an insider.

Download the full 2017 SANS Insider Threat Survey

Download the full 2017 SANS Insider Threat Survey