New research by the SANS Institute, sponsored by Dtex, Haystax Technology and Rapid7, suggests that while global organisations are beginning to recognise that insider threats are potentially the most damaging cyber threat, their budgets and incident response plans have yet to align with their concerns.
Only 18% of respondents said they have developed incident response plans with provisions for insider threats. And while 49% indicate they are currently working on creating such programs, there is no indication given of when they will be complete. Without a full incident response plan to address the dangers of insider threat, companies could be leaving themselves open to attack and drastically increasing their time of remediating any upcoming insider incidents.
When considering the maturity scale of their programs, 31% of companies rated themselves as “immature” with no formal insider threat program. As author, Eric Cole, notes “experience shows that organisations that perceive their data as having comparatively low value, and that therefore spend less on cyber security, are often compromised because they are easier targets”. Employees are often seen as an easy access point for hackers, while malicious insiders can be motivated of their own accord, and accidental insiders may be blissfully ignorant to security protocol. With this broad level of risk, a failure to adequately prepare can fully expose a “secure” system to attack.
According to Cole, end users are “the entry points of choice” for many, and he delivers the damning statement that “if your organisation has been in existence for more than a few years, the probability of being hit by an insider-enabled attack is almost 100%”.
Interestingly, over 60% of survey respondents claim they have never suffered an insider attack. Cole reports that this figure is likely to be very misleading, considering that “38% of respondents said they do not have effective ways to detect insider attacks. Meaning the real problem may be that organisations are not properly detecting insider threats, not that they are not happening”.
Of high concern is the lack of visibility around the real cost of an insider attack. 45% of respondents claimed they didn’t know the potential for financial losses associated with an insider incident. Other responses ranged from “under $99,000” to “over $5M”. Notably, responses were clustered between the “$1M to $2.4M” mark and “over $5M”, showing that for those companies who are measuring loss, they are aware that the financial fallout of an insider attack can be substantial.
As the report notes, organisations cannot spend money in a critical area if they cannot quantify the losses. Cole puts forward the argument that this may be why insider threat is registering as a concern but not a priority.
Ramod Cherukumili, Head of Product Management at Dtex Systems, counters this argument by suggesting that “it’s easier to focus on external threats” as opposed to the “Herculean task” of detecting and managing internal threats.
As the report makes clear though, those responsible for cyber threats must turn their attention away from volume and instead towards the potential damage. As Cole notes, “[when] evaluating threats from that perspective, it becomes obvious that although most attacks might come from outside the organisation, the most serious damage is done with help from the inside”.
Cole poses the interesting question: What’s the difference between a major incident and a minor incident?
His answer? The data that was compromised.The level and type of compromised data can ultimately determine the impact a breach will go on to have on an organisation. Seeing as insiders have direct access to an organisation’s most critical data, the impact of an insider attack is likely to be far more major than minor. Developing a comprehensive insider threat program that aligns with your current cyber security policies takes both time and commitment. To begin though, Cole outlines a checklist for addressing the insider threat:
- Identify the most critical data in your organisation: consider your most valuable data, whether that’s customer information, trade secrets, intellectual property etc
- Determine who currently has access to this data: identify insiders who could directly or indirectly access your sensitive data
- Restrict access to information to those who need it: remove unnecessary access and reduce the attack surface
- Get visibility into user behaviour: understand how users are currently using sensitive data
- Know your threats: create a threat map of accidental, malicious and compromised insiders who would have the highest likelihood of causing damage
- Know your vulnerabilities: determine which vulnerability would have the biggest impact if it was exploited
- Identify countermeasures to minimise or reduce the threat: consider application whitelisting, data protection, data segmentation and data classification
Insider threat is on the rise. Now is the time to protect your business.
Join C5 and leading experts from the London Stock Exchange, Barclays, EY, Addison Lee and Spearhead Advisory for 2 days of comprehensive training on the strategy, culture, people, processes and technology needed for an effective insider threat program.
Taking place in London on October 31st and November 1st, this conference is not to be missed .