Vulnerabilities / Threats // Insider Threats
9/13/2016
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Insider Incidents Cost Companies $4.3 Million Per Year On Average

Breaches caused by external attackers posing as insiders are the most financially damaging, Ponemon Institute survey finds.

Careless users and contractors continue to be the biggest source of insider incidents at most organizations. But external attackers posing as legitimate users via stolen credentials can cause far more financial damage, a new survey by the Ponemon Institute shows.

Ponemon polled 280 IT and security practitioners from 54 medium- to large organizations between April and July this year. The findings show that nearly four years after Edward Snowden’s famous data leaks, the insider threat remains as intractable as problem as ever for many organizations.

The survey, sponsored by security vendor Dtex Systems, reports a total of 874 insider incidents across respondent organizations over the past 12 months. A total of 568 of those incidents were caused by employee or contractor negligence, 191 were tied to malicious employees and criminals, while 85 were caused by outside imposters with stolen credentials.

Cumulatively, security incidents stemming from negligent and careless employees or contractors cost the most money. Organizations spent about $2.3 million annually dealing with the fallout from such incidents, at an average of about $207,000 per incident, the study found.

In contrast, the annualized cost from all imposter-related breaches was relatively lower, at $776,000. But the cost per incident involving imposters was $493,000 — much higher per incident than breaches caused by negligence and carelessness and those caused by malicious insiders.

On average, the organizations in Ponemon’s survey reported spending $4.3 million in total on insider-related incidents over the past 12 months. The costs tended to vary by organization size. Large organizations with more than 75,000 employees spent more than $7 million annually, while smaller organizations with between 1,000 and 5,000 employees spent around $2 million.

The costs encompass monitoring and surveillance, investigation, response, containment, incident analysis, and remediation. 

Organizations implementing security controls to mitigate insider threats should consider the threat posed by external adversaries in their planning, says Larry Ponemon, chairman and founder of the Ponemon Institute.

"Our benchmarking suggests that while the number one insider problem is negligence, the most expensive are those involving credential theft," Ponemon says. "The issue is important because a lot of companies don't see credential theft as an insider threat."

Security incidents caused by insiders have been a long-standing issue for organizations. Former NSA analyst Snowden’s data leaks on the government’s surveillance operations back in 2012 is often cited as one of the most dramatic examples of the damage that an insider with privileged access to enterprise networks can do.

But such incidents are more than exception than the rule. A vast majority of insider breaches come from more banal causes such as someone inadvertently emailing or publishing a list containing sensitive data, or losing a mobile device with unencrypted files.

"The main takeaway is that not having the right people and the right technologies can be very costly for organizations," Ponemon says.

Companies should look beyond their existing security toolset and consider using behavioral analytics technologies to spot anomalous behavior, he says. They should also consider ramping up employee awareness and training as well, he adds.

"The training programs that companies have are just not very good," he says. "They are really focused on check-the-box compliance requirements to show everyone that your company is training on data protection."

Evidence shows that good training can make a difference. "But most companies are penny-wise and pound-foolish," Ponemon says.

The full report is here

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Moderator
9/26/2016 | 12:19:55 PM
Re: Dealing with insider threats
It seems easy to say: let's terminate negligent employees, but establishment of negligence vs. lack of training or even in some case tricky social engineering make it impossible to apply a fair rule in most of the cases.  There isn't any silver bullet and protecting data takes work and commitment, starting with a strong governance of who has access to what data vs. who should have access.
Chief Security Officer
50%
50%
Chief Security Officer,
User Rank: Apprentice
9/13/2016 | 9:15:22 PM
Dealing with insider threats
Periodic training and awareness must continue to be provided within the organization. However, I think this should be accompanied by organizations following through with consequences directed at the neglient employees. That is, lost of priviledges and perhaps even termination. An employee seeing these consequences leveraged against others may be even more cognizant of the training provided and implement principles of the same.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.