Vulnerabilities / Threats // Insider Threats
9/13/2016
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Insider Incidents Cost Companies $4.3 Million Per Year On Average

Breaches caused by external attackers posing as insiders are the most financially damaging, Ponemon Institute survey finds.

Careless users and contractors continue to be the biggest source of insider incidents at most organizations. But external attackers posing as legitimate users via stolen credentials can cause far more financial damage, a new survey by the Ponemon Institute shows.

Ponemon polled 280 IT and security practitioners from 54 medium- to large organizations between April and July this year. The findings show that nearly four years after Edward Snowden’s famous data leaks, the insider threat remains as intractable as problem as ever for many organizations.

The survey, sponsored by security vendor Dtex Systems, reports a total of 874 insider incidents across respondent organizations over the past 12 months. A total of 568 of those incidents were caused by employee or contractor negligence, 191 were tied to malicious employees and criminals, while 85 were caused by outside imposters with stolen credentials.

Cumulatively, security incidents stemming from negligent and careless employees or contractors cost the most money. Organizations spent about $2.3 million annually dealing with the fallout from such incidents, at an average of about $207,000 per incident, the study found.

In contrast, the annualized cost from all imposter-related breaches was relatively lower, at $776,000. But the cost per incident involving imposters was $493,000 — much higher per incident than breaches caused by negligence and carelessness and those caused by malicious insiders.

On average, the organizations in Ponemon’s survey reported spending $4.3 million in total on insider-related incidents over the past 12 months. The costs tended to vary by organization size. Large organizations with more than 75,000 employees spent more than $7 million annually, while smaller organizations with between 1,000 and 5,000 employees spent around $2 million.

The costs encompass monitoring and surveillance, investigation, response, containment, incident analysis, and remediation. 

Organizations implementing security controls to mitigate insider threats should consider the threat posed by external adversaries in their planning, says Larry Ponemon, chairman and founder of the Ponemon Institute.

"Our benchmarking suggests that while the number one insider problem is negligence, the most expensive are those involving credential theft," Ponemon says. "The issue is important because a lot of companies don't see credential theft as an insider threat."

Security incidents caused by insiders have been a long-standing issue for organizations. Former NSA analyst Snowden’s data leaks on the government’s surveillance operations back in 2012 is often cited as one of the most dramatic examples of the damage that an insider with privileged access to enterprise networks can do.

But such incidents are more than exception than the rule. A vast majority of insider breaches come from more banal causes such as someone inadvertently emailing or publishing a list containing sensitive data, or losing a mobile device with unencrypted files.

"The main takeaway is that not having the right people and the right technologies can be very costly for organizations," Ponemon says.

Companies should look beyond their existing security toolset and consider using behavioral analytics technologies to spot anomalous behavior, he says. They should also consider ramping up employee awareness and training as well, he adds.

"The training programs that companies have are just not very good," he says. "They are really focused on check-the-box compliance requirements to show everyone that your company is training on data protection."

Evidence shows that good training can make a difference. "But most companies are penny-wise and pound-foolish," Ponemon says.

The full report is here

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
9/26/2016 | 12:19:55 PM
Re: Dealing with insider threats
It seems easy to say: let's terminate negligent employees, but establishment of negligence vs. lack of training or even in some case tricky social engineering make it impossible to apply a fair rule in most of the cases.  There isn't any silver bullet and protecting data takes work and commitment, starting with a strong governance of who has access to what data vs. who should have access.
Chief Security Officer
50%
50%
Chief Security Officer,
User Rank: Apprentice
9/13/2016 | 9:15:22 PM
Dealing with insider threats
Periodic training and awareness must continue to be provided within the organization. However, I think this should be accompanied by organizations following through with consequences directed at the neglient employees. That is, lost of priviledges and perhaps even termination. An employee seeing these consequences leveraged against others may be even more cognizant of the training provided and implement principles of the same.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.