Vulnerabilities / Threats //

Insider Threats

9/13/2016
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Insider Incidents Cost Companies $4.3 Million Per Year On Average

Breaches caused by external attackers posing as insiders are the most financially damaging, Ponemon Institute survey finds.

Careless users and contractors continue to be the biggest source of insider incidents at most organizations. But external attackers posing as legitimate users via stolen credentials can cause far more financial damage, a new survey by the Ponemon Institute shows.

Ponemon polled 280 IT and security practitioners from 54 medium- to large organizations between April and July this year. The findings show that nearly four years after Edward Snowden’s famous data leaks, the insider threat remains as intractable as problem as ever for many organizations.

The survey, sponsored by security vendor Dtex Systems, reports a total of 874 insider incidents across respondent organizations over the past 12 months. A total of 568 of those incidents were caused by employee or contractor negligence, 191 were tied to malicious employees and criminals, while 85 were caused by outside imposters with stolen credentials.

Cumulatively, security incidents stemming from negligent and careless employees or contractors cost the most money. Organizations spent about $2.3 million annually dealing with the fallout from such incidents, at an average of about $207,000 per incident, the study found.

In contrast, the annualized cost from all imposter-related breaches was relatively lower, at $776,000. But the cost per incident involving imposters was $493,000 — much higher per incident than breaches caused by negligence and carelessness and those caused by malicious insiders.

On average, the organizations in Ponemon’s survey reported spending $4.3 million in total on insider-related incidents over the past 12 months. The costs tended to vary by organization size. Large organizations with more than 75,000 employees spent more than $7 million annually, while smaller organizations with between 1,000 and 5,000 employees spent around $2 million.

The costs encompass monitoring and surveillance, investigation, response, containment, incident analysis, and remediation. 

Organizations implementing security controls to mitigate insider threats should consider the threat posed by external adversaries in their planning, says Larry Ponemon, chairman and founder of the Ponemon Institute.

"Our benchmarking suggests that while the number one insider problem is negligence, the most expensive are those involving credential theft," Ponemon says. "The issue is important because a lot of companies don't see credential theft as an insider threat."

Security incidents caused by insiders have been a long-standing issue for organizations. Former NSA analyst Snowden’s data leaks on the government’s surveillance operations back in 2012 is often cited as one of the most dramatic examples of the damage that an insider with privileged access to enterprise networks can do.

But such incidents are more than exception than the rule. A vast majority of insider breaches come from more banal causes such as someone inadvertently emailing or publishing a list containing sensitive data, or losing a mobile device with unencrypted files.

"The main takeaway is that not having the right people and the right technologies can be very costly for organizations," Ponemon says.

Companies should look beyond their existing security toolset and consider using behavioral analytics technologies to spot anomalous behavior, he says. They should also consider ramping up employee awareness and training as well, he adds.

"The training programs that companies have are just not very good," he says. "They are really focused on check-the-box compliance requirements to show everyone that your company is training on data protection."

Evidence shows that good training can make a difference. "But most companies are penny-wise and pound-foolish," Ponemon says.

The full report is here

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
9/26/2016 | 12:19:55 PM
Re: Dealing with insider threats
It seems easy to say: let's terminate negligent employees, but establishment of negligence vs. lack of training or even in some case tricky social engineering make it impossible to apply a fair rule in most of the cases.  There isn't any silver bullet and protecting data takes work and commitment, starting with a strong governance of who has access to what data vs. who should have access.
Chief Security Officer
50%
50%
Chief Security Officer,
User Rank: Apprentice
9/13/2016 | 9:15:22 PM
Dealing with insider threats
Periodic training and awareness must continue to be provided within the organization. However, I think this should be accompanied by organizations following through with consequences directed at the neglient employees. That is, lost of priviledges and perhaps even termination. An employee seeing these consequences leveraged against others may be even more cognizant of the training provided and implement principles of the same.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12959
PUBLISHED: 2018-07-19
The approveAndCall function of a smart contract implementation for Aditus (ADI), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all contract balances into their account).
CVE-2018-14336
PUBLISHED: 2018-07-19
TP-Link WR840N devices allow remote attackers to cause a denial of service (connectivity loss) via a series of packets with random MAC addresses.
CVE-2018-10620
PUBLISHED: 2018-07-19
AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code t...
CVE-2018-14423
PUBLISHED: 2018-07-19
Division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in lib/openjp3d/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).
CVE-2018-3857
PUBLISHED: 2018-07-19
An exploitable heap overflow exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain...